SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.
Impact
Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database
Actions to Take
See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.
Remedy
A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.
Required Skills for Successful Exploitation
There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.
<font style="COLOR: black; FONT: 16pt/18pt verdana"> The web site you are accessing has experienced an unexpected error.<br> Please contact the website administrator.
</font> <br><br> <table border="1" cellpadding="3" bordercolor="#000808" bgcolor="#e7e7e7"> <tr> <td bgcolor="#000066"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> The following information is meant for the website developer for debugging purposes. </font> </td> <tr> <tr> <td bgcolor="#4646EE"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> Error Occurred While Processing Request </font> </td> </tr> <tr> <td> <font style="COLOR: black; FONT: 8pt/11pt verdana">
<li>Check the <a href='http://www.adobe.com/go/prod_doc' target="new">ColdFusion documentation</a> to verify that you are using the correct syntax.</li> <li>Search the <a href='http://www.adobe.com/go/prod_support/' target="new">Knowledge Base</a> to find a solution to your problem.</li>
<a href="javascript:;" onMouseOver="window.status='Click to expand stack trace';return true;" onMouseOut="window.status='';return true;" onClick="showHide('cf_stacktrace');return true;">Stack Trace (click to expand)</a>
</td> </tr> <tr> <td id="cf_stacktrace" style="display:none"> <font style="COLOR: black; FONT: 8pt/11pt verdana"> at cfSecurity2ecfc105304323$funcGETUSERBYUUID.runFunction(F:\wwwroot\cxprod\COM\Security.cfc:88) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:19) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:27) at cfSecurity2ecfc105304323$funcGETUSERBYUUID.runFunction(F:\wwwroot\cxprod\COM\Security.cfc:88) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:19) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:27) <br /> <br /> <pre>java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when converting from a character string to uniqueidentifier. at macromedia.jdbc.sqlserverbase.dda4.b(Unknown Source) at macromedia.jdbc.sqlserverbase.dda4.a(Unknown Source) at macromedia.jdbc.sqlserverbase.dda3.b(Unknown Source) at macromedia.jdbc.sqlserverbase.dda3.a(Unknown Source) at macromedia.jdbc.sqlserver.tds.ddr.v(Unknown Source) at macromedia.jdbc.sqlserver.tds.ddr.a(Unknown Source) at macromedia.jdbc.sqlserver.tds.ddr.a(Unknown Source) at macromedia.jdbc.sqlserver.ddj.l(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.e(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.a(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.v(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.r(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:348) at coldfusion.sql.Executive.executeQuery(Executive.java:1364) at coldfusion.sql.Executive.executeQuery(Executive.java:1127) at coldfusion.sql.Executive.executeQuery(Executive.java:1058) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:341) at coldfusion.tagext.sql.QueryTag.executeQuery(QueryTag.java:915) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:590) at cfSecurity2ecfc105304323$funcGETUSERBYUUID.runFunction(F:\wwwroot\cxprod\COM\Security.cfc:88) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:19) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:27) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:381) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)</pre></td> </tr> </table>
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.
Impact
The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.
Remedy
Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
GET /cx/pw/index.cfm?action=check_email HTTP/1.1 Referer: http://cx.trizetto.com/cx/pw/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: cx.trizetto.com Cookie: CFID=334550; CFTOKEN=5a2233eac4d6b208-ED9B1D99-EA98-89CA-B444868B061CA454; JSESSIONID=84301705df4a9e9ebd093268662a7e673dc6; CFGLOBALS=urltoken%3DCFID%23%3D334550%26CFTOKEN%23%3D5a2233eac4d6b208%2DED9B1D99%2DEA98%2D89CA%2DB444868B061CA454%26jsessionid%23%3D84301705df4a9e9ebd093268662a7e673dc6%23lastvisit%3D%7Bts%20%272011%2D05%2D02%2009%3A38%3A59%27%7D%23timecreated%3D%7Bts%20%272011%2D05%2D02%2009%3A38%3A58%27%7D%23hitcount%3D3%23cftoken%3D5a2233eac4d6b208%2DED9B1D99%2DEA98%2D89CA%2DB444868B061CA454%23cfid%3D334550%23; CFCLIENT_CXPROD=cxname%3Dnobody%23cx%5Fuserid%3D0%23userid%3D0%23cxlevel%3D1%23pass%3Dno%23 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 500 Element RECORDCOUNT is undefined in QGETEMAIL. Connection: close Date: Mon, 02 May 2011 15:38:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<font style="COLOR: black; FONT: 16pt/18pt verdana"> The web site you are accessing has experienced an unexpected error.<br> Please contact the website administrator.
</font> <br><br> <table border="1" cellpadding="3" bordercolor="#000808" bgcolor="#e7e7e7"> <tr> <td bgcolor="#000066"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> The following information is meant for the website developer for debugging purposes. </font> </td> <tr> <tr> <td bgcolor="#4646EE"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> Error Occurred While Processing Request </font> </td> </tr> <tr> <td> <font style="COLOR: black; FONT: 8pt/11pt verdana">
<li>Check the <a href='http://www.adobe.com/go/prod_doc' target="new">ColdFusion documentation</a> to verify that you are using the correct syntax.</li> <li>Search the <a href='http://www.adobe.com/go/prod_support/' target="new">Knowledge Base</a> to find a solution to your problem.</li>
<a href="javascript:;" onMouseOver="window.status='Click to expand stack trace';return true;" onMouseOut="window.status='';return true;" onClick="showHide('cf_stacktrace');return true;">Stack Trace (click to expand)</a>
</td> </tr> <tr> <td id="cf_stacktrace" style="display:none"> <font style="COLOR: black; FONT: 8pt/11pt verdana"> at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:37) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:17) <br /> <br /> <pre>coldfusion.runtime.UndefinedElementException: Element RECORDCOUNT is undefined in QGETEMAIL. at coldfusion.runtime.CfJspPage.resolveCanonicalName(CfJspPage.java:1724) at coldfusion.runtime.CfJspPage._resolve(CfJspPage.java:1620) at coldfusion.runtime.CfJspPage._resolveAndAutoscalarize(CfJspPage.java:1794) at coldfusion.runtime.CfJspPage._resolveAndAutoscalarize(CfJspPage.java:1787) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:37) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:17) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:381) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)</pre></td> </tr> </table>
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..
Impact
During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.
Actions to Take
See the remedy for solution
Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.
Remedy
Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.
Remedy
Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
<font style="COLOR: black; FONT: 16pt/18pt verdana"> The web site you are accessing has experienced an unexpected error.<br> Please contact the website administrator.
</font> <br><br> <table border="1" cellpadding="3" bordercolor="#000808" bgcolor="#e7e7e7"> <tr> <td bgcolor="#000066"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> The following information is meant for the website developer for debugging purposes. </font> </td> <tr> <tr> <td bgcolor="#4646EE"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> Error Occurred While Processing Request </font> </td> </tr> <tr> <td> <font style="COLOR: black; FONT: 8pt/11pt verdana">
<li>Check the <a href='http://www.adobe.com/go/prod_doc' target="new">ColdFusion documentation</a> to verify that you are using the correct syntax.</li> <li>Search the <a href='http://www.adobe.com/go/prod_support/' target="new">Knowledge Base</a> to find a solution to your problem.</li>
<a href="javascript:;" onMouseOver="window.status='Click to expand stack trace';return true;" onMouseOut="window.status='';return true;" onClick="showHide('cf_stacktrace');return true;">Stack Trace (click to expand)</a>
</td> </tr> <tr> <td id="cf_stacktrace" style="display:none"> <font style="COLOR: black; FONT: 8pt/11pt verdana"> at cfSecurity2ecfc105304323$funcGETUSERBYUUID.runFunction(F:\wwwroot\cxprod\COM\Security.cfc:88) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:19) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:27) at cfSecurity2ecfc105304323$funcGETUSERBYUUID.runFunction(F:\wwwroot\cxprod\COM\Security.cfc:88) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:19) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:27) <br /> <br /> <pre>java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when converting from a character string to uniqueidentifier. at macromedia.jdbc.sqlserverbase.dda4.b(Unknown Source) at macromedia.jdbc.sqlserverbase.dda4.a(Unknown Source) at macromedia.jdbc.sqlserverbase.dda3.b(Unknown Source) at macromedia.jdbc.sqlserverbase.dda3.a(Unknown Source) at macromedia.jdbc.sqlserver.tds.ddr.v(Unknown Source) at macromedia.jdbc.sqlserver.tds.ddr.a(Unknown Source) at macromedia.jdbc.sqlserver.tds.ddr.a(Unknown Source) at macromedia.jdbc.sqlserver.ddj.l(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.e(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.a(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.v(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.r(Unknown Source) at macromedia.jdbc.sqlserverbase.ddde.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:348) at coldfusion.sql.Executive.executeQuery(Executive.java:1364) at coldfusion.sql.Executive.executeQuery(Executive.java:1127) at coldfusion.sql.Executive.executeQuery(Executive.java:1058) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:341) at coldfusion.tagext.sql.QueryTag.executeQuery(QueryTag.java:915) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:590) at cfSecurity2ecfc105304323$funcGETUSERBYUUID.runFunction(F:\wwwroot\cxprod\COM\Security.cfc:88) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:19) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:27) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:381) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)</pre></td> </tr> </table>
GET /jslibraries/jquery/ HTTP/1.1 Referer: http://cx.trizetto.com/jslibraries/jquery/jquery-1.3.2.min.js User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: cx.trizetto.com Cookie: CFID=334550; CFTOKEN=5a2233eac4d6b208-ED9B1D99-EA98-89CA-B444868B061CA454; JSESSIONID=84301705df4a9e9ebd093268662a7e673dc6; CFGLOBALS=urltoken%3DCFID%23%3D334550%26CFTOKEN%23%3D5a2233eac4d6b208%2DED9B1D99%2DEA98%2D89CA%2DB444868B061CA454%26jsessionid%23%3D84301705df4a9e9ebd093268662a7e673dc6%23lastvisit%3D%7Bts%20%272011%2D05%2D02%2009%3A38%3A58%27%7D%23timecreated%3D%7Bts%20%272011%2D05%2D02%2009%3A38%3A58%27%7D%23hitcount%3D2%23cftoken%3D5a2233eac4d6b208%2DED9B1D99%2DEA98%2D89CA%2DB444868B061CA454%23cfid%3D334550%23 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Mon, 02 May 2011 15:38:58 GMT
<html><head><title>Error</title></head><body><head><title>Directory Listing Denied</title></head><body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></body></html>
Netsparker found e-mail addresses on the web site.
Impact
E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .
Remedy
Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.
<TABLE align="center" border="0" cellpadding="4" cellspacing="0" width="600"> <tr > <td> <strong>Thank you for your request.</strong> An e-mail containing your username and a temporary password will be sent to the e-mail address that you entered. <br><br> When you log in with the temporary password, you will be prompted to create a permanent password. <br><br> If the username and password are blank on the e-mail that you receive, your record is established in our database, but you have not been granted access to Customer Exchange by your organization’s super user. Please contact your super user to request access to Customer Exchange. <br><br> If you are still experiencing login issues, please send an email with your name, company and telephone number to <a href="mailto:customerexchange@trizetto.com?subject=Login Problem" class="contact">Customer Exchange</a>. </td> </tr> <tr> <td align="center"><a href="http://cx.trizetto.com/"><img src="/images/buttons/btn_ReturnCX.gif" border="0" alt="Return to CX"></a></td> </tr> </table>
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.
Impact
An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.
Remediation
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
Netsparker identified that the response from the page returned an HTTP Redirect Status but output more information than usual. This generally indicates that after redirect, page did not finish the response as it was supposed to.
Impact
This can lead serious issues such authentication bypass in authentication required pages, in other pages it generally indicates a programming error.
Remedy
Finish the HTTP Response after you redirect the user.
In ASP.NET use Response.Redirect("redirected-page.aspx", true); instead of Response.Redirect("redirected-page.aspx", false);
In PHP applications call exit(); after you redirect the user.
Netsparker identified an internal path in the document.
Impact
There is no direct impact however this information can help an attacker either to identify other vulnerabilities or during the exploitation of other identified vulnerabilities.
Remedy
First ensure that this is not a false positive. Due to the nature of the issue. Netsparker could not confirm that this file path was actually the real file path of the target web server.
Error messages should be disabled.
Remove this kind of sensitive data from the output.
GET /cx/pw/index.cfm?action=check_email HTTP/1.1 Referer: http://cx.trizetto.com/cx/pw/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: cx.trizetto.com Cookie: CFID=334550; CFTOKEN=5a2233eac4d6b208-ED9B1D99-EA98-89CA-B444868B061CA454; JSESSIONID=84301705df4a9e9ebd093268662a7e673dc6; CFGLOBALS=urltoken%3DCFID%23%3D334550%26CFTOKEN%23%3D5a2233eac4d6b208%2DED9B1D99%2DEA98%2D89CA%2DB444868B061CA454%26jsessionid%23%3D84301705df4a9e9ebd093268662a7e673dc6%23lastvisit%3D%7Bts%20%272011%2D05%2D02%2009%3A38%3A59%27%7D%23timecreated%3D%7Bts%20%272011%2D05%2D02%2009%3A38%3A58%27%7D%23hitcount%3D3%23cftoken%3D5a2233eac4d6b208%2DED9B1D99%2DEA98%2D89CA%2DB444868B061CA454%23cfid%3D334550%23; CFCLIENT_CXPROD=cxname%3Dnobody%23cx%5Fuserid%3D0%23userid%3D0%23cxlevel%3D1%23pass%3Dno%23 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 500 Element RECORDCOUNT is undefined in QGETEMAIL. Connection: close Date: Mon, 02 May 2011 15:38:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<font style="COLOR: black; FONT: 16pt/18pt verdana"> The web site you are accessing has experienced an unexpected error.<br> Please contact the website administrator.
</font> <br><br> <table border="1" cellpadding="3" bordercolor="#000808" bgcolor="#e7e7e7"> <tr> <td bgcolor="#000066"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> The following information is meant for the website developer for debugging purposes. </font> </td> <tr> <tr> <td bgcolor="#4646EE"> <font style="COLOR: white; FONT: 11pt/13pt verdana" color="white"> Error Occurred While Processing Request </font> </td> </tr> <tr> <td> <font style="COLOR: black; FONT: 8pt/11pt verdana">
<li>Check the <a href='http://www.adobe.com/go/prod_doc' target="new">ColdFusion documentation</a> to verify that you are using the correct syntax.</li> <li>Search the <a href='http://www.adobe.com/go/prod_support/' target="new">Knowledge Base</a> to find a solution to your problem.</li>
<a href="javascript:;" onMouseOver="window.status='Click to expand stack trace';return true;" onMouseOut="window.status='';return true;" onClick="showHide('cf_stacktrace');return true;">Stack Trace (click to expand)</a>
</td> </tr> <tr> <td id="cf_stacktrace" style="display:none"> <font style="COLOR: black; FONT: 8pt/11pt verdana"> at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:37) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:17) <br /> <br /> <pre>coldfusion.runtime.UndefinedElementException: Element RECORDCOUNT is undefined in QGETEMAIL. at coldfusion.runtime.CfJspPage.resolveCanonicalName(CfJspPage.java:1724) at coldfusion.runtime.CfJspPage._resolve(CfJspPage.java:1620) at coldfusion.runtime.CfJspPage._resolveAndAutoscalarize(CfJspPage.java:1794) at coldfusion.runtime.CfJspPage._resolveAndAutoscalarize(CfJspPage.java:1787) at cfdsp_email2ecfm1064487830.runPage(F:\wwwroot\cxprod\cx\pw\dsp_email.cfm:37) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfindex2ecfm1539588565.runPage(F:\wwwroot\cxprod\cx\pw\index.cfm:17) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:381) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)</pre></td> </tr> </table>