SQL Injection, Database Error, offers.lendingtree.com, xss.cx, hoyt llc research, CWE-89, CAPEC-66, DORK, GHDB

The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.

- /splitter/splitter.ashx

/splitter/splitter.ashx CONFIRMED

http://offers.lendingtree.com/splitter/splitter.ashx?id=%27;WAITFOR%20DELAY%20%270:0:25%27--&promo=0..

Parameters

Parameter	Type	Value
id	GET	';WAITFOR DELAY '0:0:25'--
promo	GET	00313
source	GET	4666360
esourceid	GET	4666360
800Num	GET	1-800-289-1731'
adtype	GET	2

Request

GET /splitter/splitter.ashx?id=%27;WAITFOR%20DELAY%20%270:0:25%27--&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731'&adtype=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: offers.lendingtree.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 23 Apr 2011 16:05:29 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Nickname: Cartman
X-Powered-By: ASP.NET
Content-Length: 56
Connection: keep-alive

The next configuration set in the chain cannot be found.

Netsparker identified that the target web server is disclosing ASP.NET version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks. It was leaked from X-AspNet-Version banner of HTTP response or default ASP.NET error page.

Impact

An attacker can use disclosed information to harvest specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or web server.

Remedy

Apply the following changes on your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses.

<System.Web>
     < httpRuntime enableVersionHeader="false" /> 
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

Remedy References

- /splitter/splitter.ashx

/splitter/splitter.ashx

http://offers.lendingtree.com/splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&es..

Extracted Version

2.0.50727

Request

GET /splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731'&adtype=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: offers.lendingtree.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 23 Apr 2011 16:05:25 GMT
Location: http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysflanding&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731%27&adtype=2
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Nickname: Cartman
X-Powered-By: ASP.NET
Content-Length: 288
Connection: keep-alive

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysflanding&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731%27&adtype=2">here</a>.</h2>
</body></html>

Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

- /splitter/splitter.ashx

/splitter/splitter.ashx

http://offers.lendingtree.com/splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&es..

Extracted Version

Microsoft-IIS/7.5

SQL Injection, Database Error, offers.lendingtree.com, xss.cx, hoyt llc research, CWE-89, CAPEC-66, DORK, GHDB

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Total Requests

Average Speed

GHDB, DORK Tests

VULNERABILITIES

VULNERABILITY SUMMARY

Internal Server Error

Impact

Remedy

/splitter/splitter.ashx CONFIRMED

Parameters

Request

Response

ASP.NET Version Disclosure

Impact

Remedy

Remedy References

/splitter/splitter.ashx

Extracted Version

Request

Response

IIS Version Disclosure

Impact

Remediation

/splitter/splitter.ashx

Extracted Version

Request

Response

VULNERABILITIES Vulnerabilities
	LOW 67 % INFORMATION 33 %