HTTP Header Injection, CWE-113, 0x20, DORK, GHDB, login.techweb.com REPORT SUMMARY

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Bounty Hunting: NO BUGS = NO PAYMENT. Google Vulnerability Rewards Program as the example for payment terms and conditions.
Loading
Netsparker - Scan Report Summary
TARGET URL
 https://login.techweb.com/cas/login?service=h...
SCAN DATE
 4/22/2011 9:51:00 PM
REPORT DATE
 4/22/2011 9:54:54 PM
SCAN DURATION
 00:01:29

Total Requests

6884

Average Speed

76.70 req/sec.
8
identified
5
confirmed
0
critical
0
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
13 %
MEDIUM
25 %
LOW
63 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/cas/login Cookie Not Marked As Secure Yes
service GET HTTP Header Injection No
service GET Open Redirection Yes
Cookie Not Marked As HttpOnly Yes
TRACE / TRACK Identified Yes
/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290 lt POST Internal Server Error Yes
Tomcat Version Disclosure No
lt POST Tomcat Exception Report Disclosure No
Cookie Not Marked As Secure

Cookie Not Marked As Secure
1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /cas/login

/cas/login CONFIRMED

https://login.techweb.com/cas/login

Identified Cookie

JSESSIONID

Request

GET /cas/login HTTP/1.1
Referer: https://login.techweb.com/cas/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.techweb.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:51:05 GMT
Server: Apache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Set-Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290; Path=/cas
Content-Language: en-US
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1













<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>UBM TechWeb Log-in</title>
<style type="text/css" media="screen">
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/layout_ssl.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/layout1_ssl.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/style_ssl.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/iwkalerts.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v3/common/css/global.css";
</style>
<script src="https://i.cmpnet.com/custom/mds_javascript/jquery-1.4.1.min.js" type="text/javascript" charset="utf-8"></script>
</head>
<body>




<div id="layout">
<div id="main">
<div id="body_container">
<!-- Login Form Content -->
<div id="body_container_inner">
<div id="register_full_container">
<div id="register_full_container_inner">
<form id="fm1" class="fm-v clearfix" action="/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290" method="post">
<!-- <div class="box" id="login"> -->
<div class="contents">
<h1>UBM <span style="font-size:1.1em;"><strong>Tech</strong>Web Log-in</span></h1>
<div id="displayAsset">

</div>
<div id="displayAssetNew"></div>
<!-- <div class="row"> -->
<div class="contents_left">
<div class="register_black_subhead">Log-In:</div>
<div class="red"><strong></strong></div>
<span class="register_small">To log-in, please enter your e-mail address and password.</span>
<span class="register_small" id="forgot_password"><a href="">Forgot Password?</a></span><br />
<span class="required_note"><span class="red">*</span> = required</span>
<div class="outer_border">
<div class="inner_border">
<span class="required">
<Strong></strong>
</span>
<font class="red">*</font>e-mail: <span class="register_small_arial">Your e-mail serves as your user id.</span><br />
<input id="username" name="username" class="required" tabindex="1" type="text" value="" size="25" autocomplete="false"/><br/>
<font class="red">*</font>Password <span class="register_small_arial">(case sensitive)</span>:<br />
<input id="password" name="password" class="required" tabindex="2" type="password" value="" size="25" autocomplete="off"/><br clear="all" />
<input type="hidden" name="lt" value="_c7355887F-6DDC-19F4-A6B3-11894AF14F8D_k00C211D8-2DA4-91AA-46E6-E78F67AAAA6F" />
<input type="hidden" name="_eventId" value="submit" />
<!-- ADDED FOR REMEMBER ME FUNCTIONALITY -->
<div class="checkholder">
<input class="checkbox" type="checkbox" name="rememberMe" id="rememberMe" value="true" checked />
<div class="check_text">
<label for="rememberMe"><strong>Keep me signed in</strong><br />
so I don't have to log-in on all subsequent visits</label>
</div>
</div>
<input type="submit" class="button" name="Submit" value="" />
</div>
</div>
</div>



</div>
</form>
</div>
</div>
</div>
<!-- END Login Form Content -->

<!-- FOOTER -->
<!-- This is bottom banner and need to obtain dynamically from the database.-->
<div id="footer">
<div class="copyright">
<a href="http://legal.us.ubm.com/terms-of-service" rel="nofollow" target="_blank">Terms of Service</a> |
<a href="http://legal.us.ubm.com/privacy-notice" rel="nofollow" target="_blank">Privacy Statement</a> |
<a href="http://legal.us.ubm.com/copyright-notice" rel="nofollow" target="_blank">Copyright &copy; 2011 UBM TechWeb, All rights reserved.</a>
</div>
<div class="footer_menu">
<ul>
<a href="http://www.informationweek.com/newshome/">News</a> >>
<a href="http://www.informationweek.com/windows/">Windows</a> >>
<a href="http://www.informationweek.com/security/">Security</a> >>
<a href="http://www.informationweek.com/mobility/">Outsourcing</a> >>
<a href="http://www.informationweek.com/internet/">Internet</a> >>
<a href="http://www.informationweek.com/software/">Software</a> >>
<a href="http://www.informationweek.com/hardware/">Hardware</a> >>
<a href="http://www.informationweek.com/management/">Management</a> >>
<a href="http://www.informationweek.com/research/">Research &amp; Tools</a>
<br />
<br /> >>
<a href="http://www.informationweek.com/industries/">Industries</a> >>
<a href="http://www.techcareers.com/?affiliate=iwk">Careers</a>
</ul>
<ul class="down">
<a href="http://www.informationweek.com/aboutus.jhtml">About Us</a> >>
<a href="http://www.informationweek.com/contactus.jhtml">Contact Us</a> >>
<a href="http://www.informationweek.com/thisweek">Current Issue</a> >>
<a href="http://www.informationweek.com/maindocs/archive.htm">Back Issues</a> >>
<a href="http://www.informationweek.com/whitepaper/">White Papers</a> >>
<a href="http://briefingcenters.techweb.com/">Briefing Centers</a> >>
<a href="http://www.informationweek.com/sitemap/index.html">Site Map</a> >>
<a href="http://www.informationweek.com/contactsales.jhtml">Advertise</a> >>
<a href="http://www.informationweek.com/mediakit/">Media Kit</a>
</ul>
</div>
</div>

<!-- END FOOTER -->
</div>
</div>
</div>
<script src="https://i.cmpnet.com/informationweek/js/jsoncall/dr_renderAsset_new.js" type="text/javascript" charset="utf-8"></script>
</body>
</html>

HTTP Header Injection

HTTP Header Injection
1 TOTAL
MEDIUM
A CRLF (New line) injection in HTTP headers was identified. This means that the input goes into HTTP headers without proper input filtering.

Impact

Depending on the application. An attacker might carry out the following forms of attacks:

Actions to Take

  1. See the remedy for solution.
  2. Ensure the server security patches are up to date and that the current stable version of the software is in use.

Remedy

Do not allow newline characters in input. Where possible use strict white listing.

Required Skills for Successful Exploitation

Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victim by an e-mail or other similar method in order to entice them to visit the site or click upon a URL.

External References

- /cas/login

/cas/login

https://login.techweb.com/cas/login?service=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&..

Parameters

Parameter Type Value
service GET http://example.com/? ns: netsparker056650=vuln
gateway GET true

Request

GET /cas/login?service=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&gateway=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.techweb.com
Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 23 Apr 2011 02:51:16 GMT
Server: Apache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Location: http://example.com/?
ns: netsparker056650=vuln
Content-Language: en-US
Content-Length: 0
Content-Type: text/plain; charset=UTF-8


Open Redirection

Open Redirection
1 TOTAL
MEDIUM
CONFIRMED
1
Open Redirection occurs when vulnerable web page is being redirected to another web page via a user controllable input.

Impact

An attacker can use this vulnerability to redirect users to other malicious web sites which can be used for phishing and similar attacks.

Remedy

External References

- /cas/login

/cas/login CONFIRMED

https://login.techweb.com/cas/login?service=http://www.netsparker.com?&gateway=true

Parameters

Parameter Type Value
service GET http://www.netsparker.com?
gateway GET true

Request

GET /cas/login?service=http://www.netsparker.com?&gateway=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.techweb.com
Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 23 Apr 2011 02:51:16 GMT
Server: Apache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Location: http://www.netsparker.com?
Content-Language: en-US
Content-Length: 0
Content-Type: text/plain; charset=UTF-8


Internal Server Error

Internal Server Error
1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290 CONFIRMED

https://login.techweb.com/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

Parameters

Parameter Type Value
_eventId POST submit
lt POST ns:netsparker056650=vuln
password POST 3
Submit POST 3
username POST Smith

Request

POST /cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290 HTTP/1.1
Referer: https://login.techweb.com/cas/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: login.techweb.com
Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290
Content-Length: 84
Accept-Encoding: gzip, deflate

_eventId=submit&lt=%0D%0Ans:netsparker056650=vuln&password=3&Submit=3&username=Smith

Response

HTTP/1.1 500 Internal Server Error
Date: Sat, 23 Apr 2011 02:51:17 GMT
Server: Apache
Content-Length: 3918
Connection: close
Content-Type: text/html;charset=utf-8


<html><head><title>Apache Tomcat/5.5.23 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '
ns:netsparker056650=vuln', the expected format is '_c&lt;conversationId&gt;_k&lt;continuationId&gt;' org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:583) org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)</pre></p><p><b>root cause</b> <pre>org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '
ns:netsparker056650=vuln', the expected format is '_c&lt;conversationId&gt;_k&lt;continuationId&gt;' org.springframework.webflow.execution.repository.support.CompositeFlowExecutionKey.keyParts(CompositeFlowExecutionKey.java:123) org.springframework.webflow.execution.repository.support.AbstractConversationFlowExecutionRepository.parseFlowExecutionKey(AbstractConversationFlowExecutionRepository.java:144) org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImpl.java:216) org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:111) org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165) org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571) org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.23</h3></body></html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /cas/login

/cas/login CONFIRMED

https://login.techweb.com/cas/login

Identified Cookie

JSESSIONID

Request

GET /cas/login HTTP/1.1
Referer: https://login.techweb.com/cas/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.techweb.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:51:05 GMT
Server: Apache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store
Set-Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290; Path=/cas
Content-Language: en-US
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1













<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>UBM TechWeb Log-in</title>
<style type="text/css" media="screen">
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/layout_ssl.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/layout1_ssl.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/style_ssl.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v2/common/css/iwkalerts.css";
@import "https://i.cmpnet.com/informationweek/whitepaper/v3/common/css/global.css";
</style>
<script src="https://i.cmpnet.com/custom/mds_javascript/jquery-1.4.1.min.js" type="text/javascript" charset="utf-8"></script>
</head>
<body>




<div id="layout">
<div id="main">
<div id="body_container">
<!-- Login Form Content -->
<div id="body_container_inner">
<div id="register_full_container">
<div id="register_full_container_inner">
<form id="fm1" class="fm-v clearfix" action="/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290" method="post">
<!-- <div class="box" id="login"> -->
<div class="contents">
<h1>UBM <span style="font-size:1.1em;"><strong>Tech</strong>Web Log-in</span></h1>
<div id="displayAsset">

</div>
<div id="displayAssetNew"></div>
<!-- <div class="row"> -->
<div class="contents_left">
<div class="register_black_subhead">Log-In:</div>
<div class="red"><strong></strong></div>
<span class="register_small">To log-in, please enter your e-mail address and password.</span>
<span class="register_small" id="forgot_password"><a href="">Forgot Password?</a></span><br />
<span class="required_note"><span class="red">*</span> = required</span>
<div class="outer_border">
<div class="inner_border">
<span class="required">
<Strong></strong>
</span>
<font class="red">*</font>e-mail: <span class="register_small_arial">Your e-mail serves as your user id.</span><br />
<input id="username" name="username" class="required" tabindex="1" type="text" value="" size="25" autocomplete="false"/><br/>
<font class="red">*</font>Password <span class="register_small_arial">(case sensitive)</span>:<br />
<input id="password" name="password" class="required" tabindex="2" type="password" value="" size="25" autocomplete="off"/><br clear="all" />
<input type="hidden" name="lt" value="_c7355887F-6DDC-19F4-A6B3-11894AF14F8D_k00C211D8-2DA4-91AA-46E6-E78F67AAAA6F" />
<input type="hidden" name="_eventId" value="submit" />
<!-- ADDED FOR REMEMBER ME FUNCTIONALITY -->
<div class="checkholder">
<input class="checkbox" type="checkbox" name="rememberMe" id="rememberMe" value="true" checked />
<div class="check_text">
<label for="rememberMe"><strong>Keep me signed in</strong><br />
so I don't have to log-in on all subsequent visits</label>
</div>
</div>
<input type="submit" class="button" name="Submit" value="" />
</div>
</div>
</div>



</div>
</form>
</div>
</div>
</div>
<!-- END Login Form Content -->

<!-- FOOTER -->
<!-- This is bottom banner and need to obtain dynamically from the database.-->
<div id="footer">
<div class="copyright">
<a href="http://legal.us.ubm.com/terms-of-service" rel="nofollow" target="_blank">Terms of Service</a> |
<a href="http://legal.us.ubm.com/privacy-notice" rel="nofollow" target="_blank">Privacy Statement</a> |
<a href="http://legal.us.ubm.com/copyright-notice" rel="nofollow" target="_blank">Copyright &copy; 2011 UBM TechWeb, All rights reserved.</a>
</div>
<div class="footer_menu">
<ul>
<a href="http://www.informationweek.com/newshome/">News</a> >>
<a href="http://www.informationweek.com/windows/">Windows</a> >>
<a href="http://www.informationweek.com/security/">Security</a> >>
<a href="http://www.informationweek.com/mobility/">Outsourcing</a> >>
<a href="http://www.informationweek.com/internet/">Internet</a> >>
<a href="http://www.informationweek.com/software/">Software</a> >>
<a href="http://www.informationweek.com/hardware/">Hardware</a> >>
<a href="http://www.informationweek.com/management/">Management</a> >>
<a href="http://www.informationweek.com/research/">Research &amp; Tools</a>
<br />
<br /> >>
<a href="http://www.informationweek.com/industries/">Industries</a> >>
<a href="http://www.techcareers.com/?affiliate=iwk">Careers</a>
</ul>
<ul class="down">
<a href="http://www.informationweek.com/aboutus.jhtml">About Us</a> >>
<a href="http://www.informationweek.com/contactus.jhtml">Contact Us</a> >>
<a href="http://www.informationweek.com/thisweek">Current Issue</a> >>
<a href="http://www.informationweek.com/maindocs/archive.htm">Back Issues</a> >>
<a href="http://www.informationweek.com/whitepaper/">White Papers</a> >>
<a href="http://briefingcenters.techweb.com/">Briefing Centers</a> >>
<a href="http://www.informationweek.com/sitemap/index.html">Site Map</a> >>
<a href="http://www.informationweek.com/contactsales.jhtml">Advertise</a> >>
<a href="http://www.informationweek.com/mediakit/">Media Kit</a>
</ul>
</div>
</div>

<!-- END FOOTER -->
</div>
</div>
</div>
<script src="https://i.cmpnet.com/informationweek/js/jsoncall/dr_renderAsset_new.js" type="text/javascript" charset="utf-8"></script>
</body>
</html>

Tomcat Version Disclosure

Tomcat Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is Tomcat. This information was gathered from the HTTP Headers.

Impact

An attacker can look for specific security vulnerabilities for the version disclosed by the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

https://login.techweb.com/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

Extracted Version

Apache Tomcat/5.5.23

Request

POST /cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290 HTTP/1.1
Referer: https://login.techweb.com/cas/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: login.techweb.com
Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290
Content-Length: 84
Accept-Encoding: gzip, deflate

_eventId=submit&lt=%0D%0Ans:netsparker056650=vuln&password=3&Submit=3&username=Smith

Response

HTTP/1.1 500 Internal Server Error
Date: Sat, 23 Apr 2011 02:51:17 GMT
Server: Apache
Content-Length: 3918
Connection: close
Content-Type: text/html;charset=utf-8


<html><head><title>Apache Tomcat/5.5.23 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '
ns:netsparker056650=vuln', the expected format is '_c&lt;conversationId&gt;_k&lt;continuationId&gt;' org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:583) org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)</pre></p><p><b>root cause</b> <pre>org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '
ns:netsparker056650=vuln', the expected format is '_c&lt;conversationId&gt;_k&lt;continuationId&gt;' org.springframework.webflow.execution.repository.support.CompositeFlowExecutionKey.keyParts(CompositeFlowExecutionKey.java:123) org.springframework.webflow.execution.repository.support.AbstractConversationFlowExecutionRepository.parseFlowExecutionKey(AbstractConversationFlowExecutionRepository.java:144) org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImpl.java:216) org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:111) org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165) org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571) org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.23</h3></body></html>
TRACE / TRACK Identified

TRACE / TRACK Identified
1 TOTAL
LOW
CONFIRMED
1
Netsparker identified that the TRACE/TRACK method is allowed.

Impact

If the application is vulnerable to Cross-site Scripting and uses Http-Only Cookies then an attacker can bypass the Http-Only cookies limitation and read the cookies in an XSS attack.

Remedy

Disable this method in all production systems. Even though the application is not vulnerable to Cross-site Scripting a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.

External References

- /cas/login

/cas/login CONFIRMED

https://login.techweb.com/cas/login?service=http://it-library.interop.com/download-preview?asset=/12..

Request

TRACE /cas/login?service=http://it-library.interop.com/download-preview?asset=/1292/the-2011-cloud-networking-report&gateway=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.techweb.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:51:05 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /cas/login?service=http://it-library.interop.com/download-preview?asset=/1292/the-2011-cloud-networking-report&gateway=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.techweb.com
Accept-Encoding: gzip, deflate

Tomcat Exception Report Disclosure

Tomcat Exception Report Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing exception report data in the HTTP response.

Impact

An attacker can obtain information such as: This information might help an attacker to gain more information and to potentially focus on the development of further attacks to the target system.

Remedy

Apply the following configuration to your web.xml file to prevent information leakage by applying custom error pages. 
<error-page>
        <error-code>500</error-code>
        <location>/server_error.html</location>
</error-page>

Remedy References

- /cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

https://login.techweb.com/cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290

Parameters

Parameter Type Value
_eventId POST submit
lt POST ns:netsparker056650=vuln
password POST 3
Submit POST 3
username POST Smith

Request

POST /cas/login;jsessionid=742210B33B6D40E56735547ED8CD3290 HTTP/1.1
Referer: https://login.techweb.com/cas/login
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: login.techweb.com
Cookie: JSESSIONID=742210B33B6D40E56735547ED8CD3290
Content-Length: 84
Accept-Encoding: gzip, deflate

_eventId=submit&lt=%0D%0Ans:netsparker056650=vuln&password=3&Submit=3&username=Smith

Response

HTTP/1.1 500 Internal Server Error
Date: Sat, 23 Apr 2011 02:51:17 GMT
Server: Apache
Content-Length: 3918
Connection: close
Content-Type: text/html;charset=utf-8


<html><head><title>Apache Tomcat/5.5.23 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '
ns:netsparker056650=vuln', the expected format is '_c&lt;conversationId&gt;_k&lt;continuationId&gt;' org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:583) org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)</pre></p><p><b>root cause</b> <pre>org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '
ns:netsparker056650=vuln', the expected format is '_c&lt;conversationId&gt;_k&lt;continuationId&gt;' org.springframework.webflow.execution.repository.support.CompositeFlowExecutionKey.keyParts(CompositeFlowExecutionKey.java:123) org.springframework.webflow.execution.repository.support.AbstractConversationFlowExecutionRepository.parseFlowExecutionKey(AbstractConversationFlowExecutionRepository.java:144) org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImpl.java:216) org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:111) org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165) org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571) org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.23</h3></body></html>