Acunetix Website Audit

11 August, 2012
Developer Report
Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Scan of http://mssql.preview.xss.cx:80/mla2000/
Scan details
Scan information
Starttime8/11/2012 9:06:16 AM
Finish time8/11/2012 9:09:13 AM
Scan time2 minutes, 57 seconds
ProfileDefault
Server information
ResponsiveTrue
Server bannerMicrosoft-IIS/7.5
Server OSWindows
Server technologies 
Threat level
Acunetix Threat Level 3
One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website.
Alerts distribution
Total alerts found68
High33
 
Medium7
 
Low4
 
Informational24
 
Knowledge base
List of file extensions
File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:


- asp => 17 file(s)
- js => 2 file(s)
- css => 1 file(s)
List of client scripts
These files contain Javascript code referenced from the website.


- /mla2000/scripts/js/mla_sql.js
- /mla2000/scripts/js/mylittletree.js
List of files with inputs
These files have at least one input (GET or POST).


- /mla2000/scripts/hlp/connected.asp - 1 inputs
Acunetix Website Audit2
- /mla2000/scripts/conn/dsn.asp - 1 inputs
- /mla2000/scripts/conn/dsnless.asp - 1 inputs
- /mla2000/scripts/pref/theme.asp - 1 inputs
- /mla2000/scripts/pref/display.asp - 1 inputs
- /mla2000/scripts/pref/language.asp - 1 inputs

List of external hosts
These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts allowed.(Settings->Scanners settings->Scanner->List of hosts allowed).


- www.mylittletools.net
-
List of email addresses
List of all email addresses found on this host.


- webmaster@myLittleTools.net
Alerts summary
 
Cross Site Scripting (verified)
AffectsVariations
/mla2000/scripts/conn/dsn.asp1
/mla2000/scripts/conn/dsnless.asp32
 
 
HTML form without CSRF protection
AffectsVariations
/mla2000/scripts/conn/dsn.asp1
/mla2000/scripts/conn/dsnless.asp1
/mla2000/scripts/pref/display.asp1
/mla2000/scripts/pref/language.asp1
/mla2000/scripts/pref/theme.asp1
 
 
User credentials are sent in clear text
AffectsVariations
/mla2000/scripts/conn/dsn.asp1
/mla2000/scripts/conn/dsnless.asp1
 
 
Possible sensitive directories
AffectsVariations
/mla2000/scripts/db1
/mla2000/scripts/DB1
/mla2000/scripts/inc1
/mla2000/scripts/tools1
 
Acunetix Website Audit3
 
Broken links
AffectsVariations
/mla2000/scripts/connection/default.asp1
/mla2000/scripts/inc/scripts/conn/default.asp1
/mla2000/scripts/inc/webmaster@mylittletools.net1
/mla2000/webmaster@mylittletools.net1
 
 
Email address found
AffectsVariations
/mla2000/default.asp1
/mla2000/scripts/conn/default.asp1
/mla2000/scripts/conn/dsn.asp1
/mla2000/scripts/conn/dsnless.asp1
/mla2000/scripts/conn/expired.asp1
/mla2000/scripts/hlp/connected.asp1
/mla2000/scripts/hlp/default.asp1
/mla2000/scripts/inc/frameset.asp1
/mla2000/scripts/inc/frameset2.asp1
/mla2000/scripts/inc/header.asp1
/mla2000/scripts/inc/tree.asp1
/mla2000/scripts/inc/tree2.asp1
/mla2000/scripts/pref/default.asp1
/mla2000/scripts/pref/display.asp1
/mla2000/scripts/pref/language.asp1
/mla2000/scripts/pref/theme.asp1
/mla2000/themes/classic/css/mla_sql.css1
 
 
Password type input with autocomplete enabled
AffectsVariations
/mla2000/scripts/conn/dsn.asp1
/mla2000/scripts/conn/dsnless.asp1
 
 
Possible username or password disclosure
AffectsVariations
/mla2000/scripts/hlp/connected.asp1
 
Acunetix Website Audit4
Alert details
Cross Site Scripting (verified)
 
SeverityHigh
TypeValidation
Reported by moduleScripting (XSS.script)
Description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
Impact
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
Recommendation
Your script should filter metacharacters from user input.
References
ASP.NET Unicode Character Conversion XSS
Acunetix Cross Site Scripting Attack
How To: Prevent Cross-Site Scripting in ASP.NET
Microsoft ASP.NET request filtering flaw
OWASP PHP Top 5
Cross site scripting
XSS cheat sheet
XSS Annihilation
OWASP Cross Site Scripting
The Cross Site Scripting Faq
Security Focus - Penetration Testing for Web Applications (Part Two)
Allowing HTML and Preventing XSS
Affected items
/mla2000/scripts/conn/dsn.asp
Details
URL encoded POST input mla_conn_user was set to '"()&%1<ScRiPt >prompt(992424)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to '"()&%1<ScRiPt >prompt(960313)</ScRiPt>
The input is reflected inside a text element.
Request headers
Acunetix Website Audit5
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to undefined1<ScRiPt >prompt(935068)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to undefined1<ScRiPt >prompt(988472)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to undefined1<ScRiPt >prompt(928042)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to '"()&%1<ScRiPt >prompt(955908)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
Acunetix Website Audit6
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to '"()&%1<ScRiPt >prompt(987045)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to '"()&%1<ScRiPt >prompt(903424)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_initialcatalog was set to '"()&%1<ScRiPt >prompt(908623)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_networklibrary was set to '"()&%1<ScRiPt >prompt(983993)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_networklibrary was set to 1<ScRiPt >prompt(917456)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
Acunetix Website Audit7
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to '"()&%1<ScRiPt >prompt(902421)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to '"()&%1<ScRiPt >prompt(941993)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to 1<ScRiPt >prompt(932580)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to '"()&%1<ScRiPt >prompt(983245)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to '"()&%1<ScRiPt >prompt(997329)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Acunetix Website Audit8
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to '"()&%1<ScRiPt >prompt(918274)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_password was set to '"()&%1<ScRiPt >prompt(999539)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to undefined1<ScRiPt >prompt(992830)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to undefined1<ScRiPt >prompt(918570)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
Acunetix Website Audit9
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to '"()&%1<ScRiPt >prompt(922684)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to '"()&%1<ScRiPt >prompt(997060)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to '"()&%1<ScRiPt >prompt(919927)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to '"()&%1<ScRiPt >prompt(989406)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to undefined1<ScRiPt >prompt(978994)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Acunetix Website Audit10
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to 1<ScRiPt >prompt(937788)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_portnumber was set to undefined1<ScRiPt >prompt(985007)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_user was set to '"()&%1<ScRiPt >prompt(948886)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_user was set to '"()&%1<ScRiPt >prompt(985355)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_user was set to '"()&%1<ScRiPt >prompt(934687)</ScRiPt>
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Acunetix Website Audit11
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_user was set to '"()&%1<ScRiPt >prompt(969555)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_user was set to undefined1<ScRiPt >prompt(978432)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
/mla2000/scripts/conn/dsnless.asp
Details
URL encoded POST input mla_conn_user was set to undefined1<ScRiPt >prompt(988190)</ScRiPt>
The input is reflected inside a text element.
Request headers
GET /mla2000/scripts/hlp/connected.asp?refresh=1 HTTP/1.1
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: mssql.preview.xss.cx
Acunetix Website Audit12
HTML form without CSRF protection
 
SeverityMedium
TypeInformational
Reported by moduleCrawler
Description
This alert may be a false positive, manual confirmation is required.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more information about the affected HTML form.
Impact
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
Recommendation
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
Affected items
/mla2000/scripts/conn/dsn.asp
Details
Form name: mla_conn
Form action: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsn.asp
Form method: POST

Form inputs:

- mla_conn_dsn [Text]
- mla_conn_user [Text]
- mla_conn_password [Password]
- mla_conn_cookie [Checkbox]
- mla_conn_submit [Submit]
Request headers
GET /mla2000/scripts/conn/dsn.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit13
/mla2000/scripts/conn/dsnless.asp
Details
Form name: mla_conn
Form action: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsnless.asp
Form method: POST

Form inputs:

- mla_conn_datasource [Text]
- mla_conn_portnumber [Text]
- mla_conn_initialcatalog [Text]
- mla_conn_provider [Radio]
- mla_conn_networklibrary [Select]
- mla_conn_trusted [Checkbox]
- mla_conn_user [Text]
- mla_conn_password [Password]
- mla_conn_co ... (line truncated)
Request headers
GET /mla2000/scripts/conn/dsnless.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/pref/display.asp
Details
Form name: mla_cfg
Form action: http://mssql.preview.xss.cx/mla2000/scripts/pref/display.asp
Form method: POST

Form inputs:

- mla_cfg_showsysdatabases [Checkbox]
- mla_cfg_showsystables [Checkbox]
- mla_cfg_showsysviews [Checkbox]
- mla_cfg_showsysprocedures [Checkbox]
- mla_cfg_showsysfunctions [Checkbox]
- mla_cfg_pagesize [Text]
- mla_cfg_maxdisplayedchar [Text]
- mla_cfg_maxd ... (line truncated)
Request headers
GET /mla2000/scripts/pref/display.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit14
/mla2000/scripts/pref/language.asp
Details
Form name: mla_cfg
Form action: http://mssql.preview.xss.cx/mla2000/scripts/pref/language.asp
Form method: POST

Form inputs:

- mla_cfg_lng [Select]
- mla_cfg_cancel [Submit]
- mla_cfg_submit [Submit]
Request headers
GET /mla2000/scripts/pref/language.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/pref/theme.asp
Details
Form name: mla_cfg
Form action: http://mssql.preview.xss.cx/mla2000/scripts/pref/theme.asp
Form method: POST

Form inputs:

- mla_cfg_theme [Select]
- mla_cfg_cancel [Submit]
- mla_cfg_submit [Submit]
Request headers
GET /mla2000/scripts/pref/theme.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit15
User credentials are sent in clear text
 
SeverityMedium
TypeInformational
Reported by moduleCrawler
Description
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).
Affected items
/mla2000/scripts/conn/dsn.asp
Details
Form name: mla_conn
Form action: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsn.asp
Form method: POST

Form inputs:

- mla_conn_dsn [Text]
- mla_conn_user [Text]
- mla_conn_password [Password]
- mla_conn_cookie [Checkbox]
- mla_conn_submit [Submit]
Request headers
GET /mla2000/scripts/conn/dsn.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit16
/mla2000/scripts/conn/dsnless.asp
Details
Form name: mla_conn
Form action: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsnless.asp
Form method: POST

Form inputs:

- mla_conn_datasource [Text]
- mla_conn_portnumber [Text]
- mla_conn_initialcatalog [Text]
- mla_conn_provider [Radio]
- mla_conn_networklibrary [Select]
- mla_conn_trusted [Checkbox]
- mla_conn_user [Text]
- mla_conn_password [Password]
- mla_conn_co ... (line truncated)
Request headers
GET /mla2000/scripts/conn/dsnless.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit17
Possible sensitive directories
 
SeverityLow
TypeValidation
Reported by moduleScripting (Possible_Sensitive_Directories.script)
Description
A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks for common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of these directories could help an attacker to learn more about his target.
Impact
This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks.
Recommendation
Restrict access to this directory or remove it from the website.
References
Web Server Security and Database Server Security
Affected items
/mla2000/scripts/db
Details
No details are available.
Request headers
GET /mla2000/scripts/db HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/mla2000/scripts/DB
Details
No details are available.
Request headers
GET /mla2000/scripts/DB HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/mla2000/scripts/inc
Details
No details are available.
Request headers
GET /mla2000/scripts/inc HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix Website Audit18
/mla2000/scripts/tools
Details
No details are available.
Request headers
GET /mla2000/scripts/tools HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix Website Audit19
Broken links
 
SeverityInformational
TypeInformational
Reported by moduleCrawler
Description
A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error. This page was linked from the website but it is inaccessible.
Impact
Problems navigating the site.
Recommendation
Remove the links to this file or make it accessible.
Affected items
/mla2000/scripts/connection/default.asp
Details
No details are available.
Request headers
GET /mla2000/scripts/connection/default.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/scripts/conn/default.asp
Details
No details are available.
Request headers
GET /mla2000/scripts/inc/scripts/conn/default.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/webmaster@mylittletools.net
Details
No details are available.
Request headers
GET /mla2000/scripts/inc/webmaster@mylittletools.net HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset.asp
Acunetix Website Audit20
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/webmaster@mylittletools.net
Details
No details are available.
Request headers
GET /mla2000/webmaster@mylittletools.net HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit21
Email address found
 
SeverityInformational
TypeInformational
Reported by moduleScripting (Text_Search.script)
Description
One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found.
Impact
Email addresses posted on Web sites may attract spam.
Recommendation
Check references for details on how to solve this problem.
References
Spam-Proofing Your Website
Why Am I Getting All This Spam?
Affected items
/mla2000/default.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/default.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/restart.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/conn/default.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/conn/default.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/hlp/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit22
/mla2000/scripts/conn/dsn.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/conn/dsn.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/conn/dsnless.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/conn/dsnless.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/conn/expired.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/conn/expired.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/db/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/hlp/connected.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
Acunetix Website Audit23
GET /mla2000/scripts/hlp/connected.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsn.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/hlp/default.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/hlp/default.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/frameset.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/inc/frameset.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/frameset2.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/inc/frameset2.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Acunetix Website Audit24
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/header.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/inc/header.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/tree.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/inc/tree.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/inc/tree2.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/inc/tree2.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/tree.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit25
/mla2000/scripts/pref/default.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/pref/default.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/hlp/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/pref/display.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/pref/display.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/pref/language.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
GET /mla2000/scripts/pref/language.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/pref/theme.asp
Details

Pattern found: webmaster@myLittleTools.net
Request headers
Acunetix Website Audit26
GET /mla2000/scripts/pref/theme.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/themes/classic/css/mla_sql.css
Details

Pattern found: webmaster@mylittletools.net
Request headers
GET /mla2000/themes/classic/css/mla_sql.css HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/inc/header.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit27
Password type input with autocomplete enabled
 
SeverityInformational
TypeInformational
Reported by moduleCrawler
Description
When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.
Impact
Possible sensitive information disclosure
Recommendation
The password autocomplete should be disabled in sensitive applications.
To disable autocomplete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
Affected items
/mla2000/scripts/conn/dsn.asp
Details
Password type input named mla_conn_password from form named mla_conn with action dsn.asp has autocomplete enabled.
Request headers
GET /mla2000/scripts/conn/dsn.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
/mla2000/scripts/conn/dsnless.asp
Details
Password type input named mla_conn_password from form named mla_conn with action dsnless.asp has autocomplete enabled.
Request headers
GET /mla2000/scripts/conn/dsnless.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit28
Possible username or password disclosure
 
SeverityInformational
TypeInformational
Reported by moduleScripting (Text_Search.script)
Description
A username and/or password was found in this file. This information could be sensitive.

This alert may be a false positive, manual confirmation is required.
Impact
Possible sensitive information disclosure.
Recommendation
Remove this file from your website or change its permissions to remove access.
Affected items
/mla2000/scripts/hlp/connected.asp
Details

Pattern found: Pwd=acUn3t1x
Request headers
GET /mla2000/scripts/hlp/connected.asp HTTP/1.1
Pragma: no-cache
Referer: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsn.asp
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASPSESSIONIDSCBRSDDB=HGJLFMCDDJBEIAJBLBJMCGHD
Host: mssql.preview.xss.cx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Acunetix Website Audit29
Scanned items (coverage report)
URL: http://mssql.preview.xss.cx/mla2000/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/header.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/tree.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/scripts
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/scripts/conn
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/scripts/conn/default.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/webmaster@mylittletools.net
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/frameset2.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/inc/tree2.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/connection
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/connection/default.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/js/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
Acunetix Website Audit30
URL: http://mssql.preview.xss.cx/mla2000/scripts/js/mla_sql.js
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/js/mylittletree.js
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/hlp/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/hlp/default.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/hlp/connected.asp
Vulnerabilities has been identified for this URL
1 input(s) found for this URL
Inputs
Input scheme 1
Input nameInput type
refreshURL encoded GET
URL: http://mssql.preview.xss.cx/mla2000/scripts/conn/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/conn/default.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsn.asp
Vulnerabilities has been identified for this URL
5 input(s) found for this URL
Inputs
Input scheme 1
Input nameInput type
mla_conn_cookieURL encoded POST
mla_conn_dsnURL encoded POST
mla_conn_passwordURL encoded POST
mla_conn_submitURL encoded POST
mla_conn_userURL encoded POST
URL: http://mssql.preview.xss.cx/mla2000/scripts/conn/dsnless.asp
Vulnerabilities has been identified for this URL
10 input(s) found for this URL
Inputs
Input scheme 1
Input nameInput type
mla_conn_cookieURL encoded POST
mla_conn_datasourceURL encoded POST
mla_conn_initialcatalogURL encoded POST
mla_conn_networklibraryURL encoded POST
mla_conn_passwordURL encoded POST
mla_conn_portnumberURL encoded POST
mla_conn_providerURL encoded POST
Acunetix Website Audit31
mla_conn_submitURL encoded POST
mla_conn_trustedURL encoded POST
mla_conn_userURL encoded POST
URL: http://mssql.preview.xss.cx/mla2000/scripts/conn/expired.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/pref/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/pref/default.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/pref/theme.asp
Vulnerabilities has been identified for this URL
3 input(s) found for this URL
Inputs
Input scheme 1
Input nameInput type
mla_cfg_cancelURL encoded POST
mla_cfg_submitURL encoded POST
mla_cfg_themeURL encoded POST
URL: http://mssql.preview.xss.cx/mla2000/scripts/pref/display.asp
Vulnerabilities has been identified for this URL
12 input(s) found for this URL
Inputs
Input scheme 1
Input nameInput type
mla_cfg_cancelURL encoded POST
mla_cfg_firstdayofweekURL encoded POST
mla_cfg_maxdisplayedbinURL encoded POST
mla_cfg_maxdisplayedcharURL encoded POST
mla_cfg_pagesizeURL encoded POST
mla_cfg_rowdelimiterURL encoded POST
mla_cfg_showsysdatabasesURL encoded POST
mla_cfg_showsysfunctionsURL encoded POST
mla_cfg_showsysproceduresURL encoded POST
mla_cfg_showsystablesURL encoded POST
mla_cfg_showsysviewsURL encoded POST
mla_cfg_submitURL encoded POST
URL: http://mssql.preview.xss.cx/mla2000/scripts/pref/language.asp
Vulnerabilities has been identified for this URL
3 input(s) found for this URL
Inputs
Input scheme 1
Input nameInput type
mla_cfg_cancelURL encoded POST
mla_cfg_lngURL encoded POST
mla_cfg_submitURL encoded POST
Acunetix Website Audit32
URL: http://mssql.preview.xss.cx/mla2000/scripts/db/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/scripts/tools/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/webmaster@mylittletools.net
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/css/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/css/mla_sql.css
Vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/images/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/images/window/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/images/action/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/images/mylittletree/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/themes/classic/images/obj32/
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/restart.asp
No vulnerabilities has been identified for this URL
No input(s) found for this URL
URL: http://mssql.preview.xss.cx/mla2000/default.asp
Vulnerabilities has been identified for this URL
No input(s) found for this URL
Acunetix Website Audit33